Configure DNS and TLS
Graylog API Security allows you to enable TLS to add encryption to the API traffic that you capture. In this article, we review how to enable TLS, including how to use your own certificate-key pair and how to take advantage of the built-in cert-manager utility to generate a valid certificate-key pair.
Configure DNS
Before you can enable TLS or authentication, you must associate a DNS name with your Graylog API Security installation. We use the name MYGL-APISEC in the examples here. You can pick your own name for your installation.
The MYGL-APISEC name needs to resolve to the external IP address (EXTERNAL-IP) associated with your installation, as reported by this command:
kubectl get svc resurface-kubernetes-ingress -n resurfaceAfter you create your DNS entry, you can access your Graylog API Security installation using this url: http://MYGL-APISEC/ui/
Enable TLS
You can generate a TLS certificate-key pair for your Graylog API Security installation, or you can use your own certificate if you have one already.
Hint: You must configure DNS resolution before you can enable TLS. We strongly recommend configuring TLS so that data is encrypted over the network.
Use Your Own Certificate
If you already have a TLS certificate-key pair, you can create a Kubernetes secret to store them:
kubectl create secret tls resurface-tls -n resurface --cert=PATH/TO/CERT/FILE --key=PATH/TO/KEY/FILEEnable TLS for your Graylog API Security installation, referencing the Kubernetes secret:
helm upgrade resurface resurfaceio/resurface --namespace resurface --set ingress.tls.enabled=true --set ingress.tls.host=MYGL-APISEC --set ingress.tls.autoissue.enabled=false --set ingress.tls.byoc.secretname=resurface-tls --reuse-valuesYou can now access your installation using this url: https://MYGL-APISEC/ui
Generate a Certificate
If you don't have a TLS certificate-key pair yet, Graylog API Security makes it easy to generate one. Use the cert-manager utility to automatically issue or renew a TLS certificate for your Graylog API Security installation. This built-in functionality utilizes Let's Encrypt as your certificate authority.
First, install cert-manager into your environment:
helm repo add jetstack https://charts.jetstack.io; helm repo update; helm install cert-manager jetstack/cert-manager --version v1.14.5 --set installCRDs=true --set prometheus.enabled=false
Hint: Do not follow this step if cert-manager is already installed. The cert-manager utility should be installed only once per cluster.
Enable TLS for your Graylog API Security installation by using cert-manager to manage your certificate:
helm upgrade resurface resurfaceio/resurface --namespace resurface --set ingress.tls.enabled=true --set ingress.tls.host=MYGL-APISEC --set ingress.tls.autoissue.enabled=true --set ingress.tls.autoissue.staging=false --set ingress.tls.autoissue.email=MYEMAIL --reuse-valuesYou can now access your installation using this url: https://MYGL-APISEC/ui
