Prerequisites
Cyral Sidecar version 2.24.0 or later.
A Kafka server.
A Vault Server with PKI engine enabled.
Required inputs
Kafka endpoint (hostname and port);
Kafka topic;
The API path to request certificates from the Vault PKI engine (e.g., cyral_pki/issue/example-dot-com);
The common name for the certificate that will be requested from Vault.
Updating the sidecar
You need to update your values.yaml and set the Vault Integration values so that the sidecar knows:
the API path to request new certificates from the Vault PKI engine and
the common name for the new certificate. In the code snippet below, these values are defined under the vaultIntegration.secrets.filebeat section.
Note that the values of certificateChain, clientCertificate, clientPrivateKey are usually the same. In this case, you need to replace cyral_pki/issue/example-dot-com with the proper value. The certificate's common name is set in commonName, so you need to replace cyral-filebeat.example.com with the proper value.
vaultIntegration:
enabled: true
integrationId: "<VaultIntegrationID>"
awsRoleArn: <RoleARN>
secrets:
sidecar:
certificateChain: "cyral_pki/issue/example-dot-com"
serverCertificate: "cyral_pki/issue/example-dot-com"
serverPrivateKey: "cyral_pki/issue/example-dot-com"
commonName: "cyral-sidecar.example.com"
filebeat:
certificateChain: 'cyral_pki/issue/example-dot-com'
clientCertificate: 'cyral_pki/issue/example-dot-com'
clientPrivateKey: 'cyral_pki/issue/example-dot-com'
commonName: 'cyral-filebeat.example.com'
Next, you have to set the Filebeat values so that it knows how to push logs to Kafka. In the following code snippet, you have to replace <KafkaHost:KafkaPort> and <KafkaTopic>, respectively, with your Kafka server endpoint and topic name.
filebeat:
output:
type: kafka
useTLS: true
useMutualAuthentication: true
usePrivateCertificateChain: true
kafka:
hosts: <KafkaHost:KafkaPort>
topic: <KafkaTopic>
version: 2.0.0
After updating your values.yaml file, you have to update the Helm deployment.
helm upgrade -i cyral-sidecar cyral-sidecar --namespace cyral-sidecar -f values.yaml --repo https://charts.cyral.com --version 2.23.2