Advanced configuration
editAdvanced configuration
editUse APM Agent central configuration
editAPM Agent configuration management
[7.5.1]
Added in 7.5.1.
allows you to configure your APM Agents centrally from within the Kibana APM app. To use this feature, the APM Server needs to be configured with connection details of the Kibana instance. If Kibana is managed by ECK, you can simply add a kibanaRef attribute to the APM Server specification:
cat <<EOF | kubectl apply -f -
apiVersion: apm.k8s.elastic.co/v1
kind: ApmServer
metadata:
name: apm-server-quickstart
namespace: default
spec:
version: 8.15.3
count: 1
elasticsearchRef:
name: quickstart
kibanaRef:
name: quickstart
EOF
Customize the APM Server configuration
editYou can customize the configuration of the APM Server using a config element in the specification:
apiVersion: apm.k8s.elastic.co/v1
kind: ApmServer
metadata:
name: apm-server-quickstart
namespace: default
spec:
version: 8.15.3
count: 1
config:
output:
elasticsearch:
headers:
X-My-Header: Just an example of a custom settings
elasticsearchRef:
name: quickstart
The configuration items you provide always override the ones that are generated by the operator.
APM Secrets keystore for secure settings
editThe APM Server keystore can be used to store sensitive settings in the APM Server configuration. ECK can automatically manage the APM Server keystore in the Pods.
-
First create a secret with the secret settings:
kubectl create secret generic apm-secret-settings --from-literal=ES_PASSWORD=asecretpassword
-
In the specification of the APM Server add a reference to the previously created secret within a
spec.secureSettingssection. Then reference the key in the APM Server configuration as it is described in the Secrets keystore for secure settings.apiVersion: apm.k8s.elastic.co/v1 kind: ApmServer metadata: name: apm-server-quickstart namespace: default spec: version: 8.15.3 count: 1 secureSettings: - secretName: apm-secret-settings config: output: elasticsearch: password: "${ES_PASSWORD}"
Reference an existing Elasticsearch cluster
editNow that you know how to use the APM keystore and customize the server configuration, you can manually configure a secured connection to an existing Elasticsearch cluster.
-
Create a secret with the Elasticsearch CA.
First, you need to store the certificate authority of the Elasticsearch cluster in a secret:
kubectl create secret generic es-ca --from-file=tls.crt=elasticsearch-ca.crt
the file
elasticsearch-ca.crtmust contain the CA certificate of the Elasticsearch cluster you want to use with the APM Server. -
You can then mount this secret using the Pod template, and reference the file in the
configof the APM Server.Here is a complete example with a password stored in the Keystore as described in the previous section:
apiVersion: apm.k8s.elastic.co/v1 kind: ApmServer metadata: name: apm-server-quickstart namespace: default spec: version: 8.15.3 count: 1 secureSettings: - secretName: apm-secret-settings config: output: elasticsearch: hosts: ["my-own-elasticsearch-cluster:9200"] username: elastic password: "${ES_PASSWORD}" protocol: "https" ssl.certificate_authorities: ["/usr/share/apm-server/config/elasticsearch-ca/tls.crt"] podTemplate: spec: containers: - name: apm-server volumeMounts: - mountPath: /usr/share/apm-server/config/elasticsearch-ca name: elasticsearch-ca readOnly: true volumes: - name: elasticsearch-ca secret: defaultMode: 420 optional: false secretName: es-ca # This is the secret that holds the Elasticsearch CA cert
TLS Certificates
editBy default the operator manages a private CA and generates a self-signed certificate used to secure the communication between APM agents and the server.
This behavior and the relevant configuration is identical to what is done for Elasticsearch and Kibana. See Setting up your own certificate for more information on how to use your own certificate to configure the TLS endpoint of the APM Server.
For more details on how to configure the APM agents to work with custom certificates, see the APM agents documentation.