安装elasticsearch集群开启认证

## 节点：
172.30.1.101
172.30.1.131
172.30.1.102

## 下载rpm
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.12.0-x86_64.rpm

# 安装elasticsearch
## 设置环境
rpm -ivh elasticsearch-7.12.0-x86_64.rpm

## 禁用swap
swapoff -a
sed -ri 's/.*swap.*/##&/' /etc/fstab  
## 最大文件数设置
cat > /etc/security/limits.d/elasticsearch.conf <<EOF  
elasticsearch    -       nofile          65535
elasticsearch    -       nproc           4096
EOF

echo "net.ipv4.tcp_retries2=5" >> /etc/sysctl.conf
echo "net.ipv4.tcp_keepalive_time = 600" >> /etc/sysctl.conf
echo "net.ipv4.tcp_keepalive_intvl = 60" >> /etc/sysctl.conf
echo "net.ipv4.tcp_keepalive_probes = 20" >> /etc/sysctl.conf



## 创建数据存储目录 ## 创建日志存储目录 ## 创建jvm转储目录
mkdir -p /data/elasticsearch/es-data

mkdir -p /data/elasticsearch/logs

mkdir -p /data/elasticsearch/jvm
## 设置目录权限
chown -R elasticsearch:elasticsearch /data/elasticsearch


# 分别配置3个节点配置信息

## 修改/etc/elasticsearch/jvm.options
vim /etc/elasticsearch/jvm.options
## 根据自己的服务器资源配置修改jvm内存
-Xms8g
-Xmx8g
## 修改jvm数据路径
-XX:HeapDumpPath=/data/elasticsearch/jvm
## 修改jvm日志路径
-XX:ErrorFile=/data/elasticsearch/logs/hs_err_pid%p.log
8:-Xloggc:/data/elasticsearch/logs/elasticsearch/gc.log
## 修改jvm日志路径
9-:-Xlog:gc*,gc+age=trace,safepoint:file=/data/elasticsearch/logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m

# 以下配置只需在172.30.1.101节点上执行
## 安全认证配置
cd /usr/share/elasticsearch
## 生成证书：
pass参数当前不设置密码，如设置密码那么需要在每个节点上执行 bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password 导入密码


## 创建ca
/usr/share/elasticsearch/bin/elasticsearch-certutil ca -out /etc/elasticsearch/elastic-ca.p12 --days 36000 -pass ""


## 生成签名证书：
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca /etc/elasticsearch/elastic-ca.p12 -out /etc/elasticsearch/elastic-certificates.p12 --days 36000 -pass ""


## scp拷贝到另外两台服务器/etc/elasticsearch/目录内
chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-certificates.p12
chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-ca.p12
## 修改权限
chmod 777 /etc/elasticsearch/elastic-certificates.p12
chmod 777 /etc/elasticsearch/elastic-ca.p12

scp /etc/elasticsearch/elastic-ca.p12 [email protected]:/etc/elasticsearch/
scp /etc/elasticsearch/elastic-ca.p12 [email protected]:/etc/elasticsearch/
scp /etc/elasticsearch/elastic-certificates.p12 [email protected]:/etc/elasticsearch/
scp /etc/elasticsearch/elastic-certificates.p12 [email protected]:/etc/elasticsearch/

##--------------------------------------------------------------------------
## 在安装Elasticsearch的目录中，运行Elasticsearch HTTP证书工具以生成证书签名请求（CSR）。
cd /usr/share/elasticsearch/
./bin/elasticsearch-certutil http
bin/elasticsearch-certutil http --pem -ca /etc/elasticsearch/elastic-ca.p12 --dns 172.30.1.101,172.30.1.102,172.30.1.131 --ip 172.30.1.101,172.30.1.102,172.30.1.131
该命令生成一个.zip文件，其中包含要与Elasticsearch和Kibana一起使用的证书和密钥。每个文件夹都包含有关README.txt 如何使用这些文件的说明。
    当询问您是否要生成CSR时，输入n。 N
    当系统询问您是否要使用现有的CA时，请输入y。Y
    输入您的CA的路径。这是elastic-stack-ca.p12为群集生成的文件的绝对路径。 /etc/elasticsearch/elastic-ca.p12
    输入您的CA的密码。   
    输入证书的过期值。您可以输入年，月或日的有效期。例如，输入90D90天。  99y
    当询问您是否要为每个节点生成一个证书时，输入y。      N  输入N跳过下一条
    每个证书将具有其自己的私钥，并将针对特定的主机名或IP地址颁发。   ····
    出现提示时，输入集群中第一个节点的名称。使用与生成节点证书时使用的节点名称相同的名称。  k8s-master01
    输入用于连接到第一个节点的所有主机名。这些主机名将作为DNS名称添加到证书的“使用者备用名称（SAN）”字段中。  172.30.1.131
    列出用于通过HTTPS连接到群集的每个主机名和变体。172.30.1.131
    输入客户端可用于连接到您的节点的IP地址。 172.30.1.131
    对集群中的每个其他节点重复这些步骤。
    
## 生成elasticsearch-ssl-http.zip  解压http.p12到/elasticsearch /kibana  
/elasticsearch
|_ README.txt
|_ http.p12
|_ sample-elasticsearch.yml


/kibana
|_ README.txt
|_ elasticsearch-ca.pem
|_ sample-kibana.yml


## 解压elasticsearch-ssl-http.zip
unzip /usr/share/elasticsearch/elasticsearch-ssl-http.zip
## 解压到
mv /usr/share/elasticsearch/elasticsearch/http.p12 /etc/elasticsearch
## 将elasticsearch-ca.pem传送到所有metricbeat节点上/etc/metricbeat目录
mv /usr/share/elasticsearch/kibana/elasticsearch-ca.pem /etc/metricbeat
#scp /etc/metricbeat/elasticsearch-ca.pem root@{hostname}:/root/

# 修改三个节点/etc/elasticsearch/elasticsearch.yml
vim /etc/elasticsearch/elasticsearch.yml

#配置es的集群名称，同一个集群中的多个节点使用相同的标识 如果在同一网段下有多个集群，就可以用这个属性来区分不同的集群。
cluster.name: nc-es-cluster

#节点名称分别配置不同节点名称
node.name: master01

#是不是有资格竞选主节点
node.master: true
#是否存储数据
node.data: true
#最大集群节点数
node.max_local_storage_nodes: 3

#数据存储路径
path.data: /data/elasticsearch/es-data
#日志存储路径
path.logs: /data/elasticsearch/logs

#节点所绑定的IP地址，并且该节点会被通知到集群中的其他节点 通过指定相同网段的其他节点会加入该集群中 0.0.0.0任意IP都可以访问elasticsearch
network.host: 172.30.1.101

#对外提供服务的http端口，默认为10092
http.port: 10092

#内部节点之间沟通端口
transport.tcp.port: 10093

#写入候选主节点的设备地址，在开启服务后可以被选为主节点
discovery.seed_hosts: ["172.30.1.101:10093", "172.30.1.131:10093", "172.30.1.102:10093"]

#初始化一个新的集群时需要此配置来选举master
cluster.initial_master_nodes: ["master01", "master02","master03"]

#head相关的跨域问题
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
#开启证书认证配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
#修改elasticsearch.yml
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/metricbeat/http.p12

#如有设置证书密码则需要添加到Elasticsearch中的安全设置中。
./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

##---------------------------------------------------------


## 启动所有节点elasticsearch
systemctl start elasticsearch
systemctl enable elasticsearch
cd /usr/share/elasticsearch
## 设置密码
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

密码：YunLi@2021
项目el密码：YunLizh!77el@2021
## 查看状态
curl -u elastic:YunLi@2021 -XGET 'https://172.30.1.101:10092/_cat/nodes?v'
##查看es的状态
curl -u elastic:YunLi@2021 -XGET 'https://172.30.1.101:10092/_cluster/health?pretty'

https://es.yunlizhihui.com:10092


# 安装kibana

yum install kibana-7.12.0-x86_64.rpm

## 启动kibana
systemctl start kibana
systemctl enable kibana

## kibana和浏览器的https设置
##为Kibana生成服务器证书和私钥
./bin/elasticsearch-certutil csr -name kibana-server -dns 域名
### 生成csr-bundle.zip
### 解压缩csr-bundle.zip文件以获得kibana-server.csr未签名的安全证书和kibana-server.key未加密的私钥。
### 将kibana-server.csr证书签名请求发送到您的内部CA或受信任的CA进行签名以获得签名的证书。签名文件可以在不同的格式，比如.crt像文件kibana-server.crt。
### 打开kibana.yml并添加以下行，以配置Kibana访问服务器证书和未加密的私钥
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/kibana-server.crt
server.ssl.key: /etc/kibana/kibana-server.key

## 使用本地ca证书签名证书
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca /etc/elasticsearch/elastic-ca.p12 -name kibana-server --days 36000 --pem

## 从/usr/share/elasticsearch目录移动kibana证书到/etc/kibana目录
mv /usr/share/elasticsearch/kibana-server/kibana-server.crt /etc/kibana/
mv /usr/share/elasticsearch/kibana-server/kibana-server.key /etc/kibana/


## 修改配置
vi /etc/kibana/kibana.yml
server.port: 10056
server.host: "172.30.1.101"
elasticsearch.hosts: ["https://172.30.1.101:10092", "https://172.30.1.131:10092", "https://172.30.1.102:10092"]
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/kibana-server.crt
server.ssl.key: /etc/kibana/kibana-server.key
elasticsearch.ssl.certificateAuthorities: [ "/etc/metricbeat/elasticsearch-ca.pem" ]
elasticsearch.ssl.verificationMode: certificate

## 存储用户名
/usr/share/kibana/bin/kibana-keystore add elasticsearch.username 

## 存储密码    
/usr/share/kibana/bin/kibana-keystore add elasticsearch.password

elasticsearch.username: "kibana_system"
elasticsearch.password: "YunLi@2021"

## 访问地址
https://172.30.1.101:10056
账号：elastic
密码：YunLi@2021

# 安装监控metricbeat
## 启动模块
metricbeat modules enable mysql
## 配置metricbeat模板
cd /etc/elasticsearch/
/usr/share/metricbeat/bin/metricbeat export template > ./metricbeat.template.json

## 导入密码
## 创建秘钥库存储elasticsearch，metricbeat的账号密码
metricbeat keystore create

## 添加账号密码  YunLi@2021
metricbeat keystore add elastic
## metricbeat keystore add kibana

## 查看秘钥库
metricbeat keystore list



## 配置metricbeat
## 修改/etc/elasticsearch/metricbeat.yml文件以下内容
##--------------------------------------------------------------------------------------------------------------
setup.kibana:
  host: "https://172.30.1.101:10056"
  ssl:
    certificate_authorities: ["/etc/metricbeat/elasticsearch-ca.pem"]
    verification_mode: "certificate"

http.enabled: true
http.port: 10057

output.elasticsearch:
  ##Array of hosts to connect to.
  hosts: ["172.30.1.131:10092", "172.30.1.101:10092", "172.30.1.102:10092"]
  index: ali-dev-%{+yyyy.MM.dd}
  ##Protocol - either `http` (default) or `https`.
  protocol: "https"
  ##Authentication credentials - either API key or username/password.
  username: "elastic"
  password: "${elastic}"
  ssl:
    certificate_authorities: ["/etc/metricbeat/elasticsearch-ca.pem"]
    verification_mode: "certificate"
## 启动
systemctl start metricbeat
systemctl enable metricbeat

http://172.30.1.131:3000/

grafana

yunli@123gr

setup.dashboards.index

logstash创建秘钥

cd /etc/logstash
/usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create