使用Helm在Kubernetes部署Elasticsearch和Kibana
发布于 19/03/2022 by Lisenet我们将安装Elasticsearch和Kibana,并为 Elastic Stack加上安全的https流量和基本安全设置。
预先要求
我们用的是 Kubernetes homelab这篇文章.
本文中使用的配置文件可在 GitHub. 复制下列储存库:
$ git clone https://github.com/lisenet/kubernetes-homelab.git $ cd ./kubernetes-homelab/logging/
计划
- 安装 Helm.
- 创建一个内部证书授权机构 (CA).
- 创建一个CA签名的Elasticsearch通配符证书.
- 使用Helm安装Elasticsearch 7.17.
- 使用Helm安装Kibana 7.17.
安装 Helm
在Deban OS, 做如下操作:
$ curl https://baltocdn.com/helm/signing.asc | sudo apt-key add - $ sudo apt-get install -y apt-transport-https $ echo "deb https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list $ sudo apt-get update $ sudo apt-get install -y helm
添加helm库:
$ helm repo add elastic https://helm.elastic.co
创建内部证书授权机构 (CA)
本节涵盖创建Root CA所需的步骤。注意我们这样做是为了homelab环境 here.
生成有效期10年的Root CA:
$ openssl req -newkey rsa:2048 -keyout homelab-ca.key -nodes -x509 -days 3650 -out homelab-ca.crt
校验X509v3扩展:
$ openssl x509 -text -noout -in homelab-ca.crt | grep CA
CA:TRUE
创建一个由Root CA 签名的通配符证书用于Elasticsearch和Kibana:
$ DOMAIN="wildcard.hl.test"
$ openssl genrsa -out "${DOMAIN}".key 2048 && chmod 0600 "${DOMAIN}".key
生成证书签名请求 (CSR):
$ openssl req -new -sha256 -key "${DOMAIN}".key -out "${DOMAIN}".csr
使用Root CA签名这个请求:
$ openssl x509 -req -in "${DOMAIN}".csr -CA homelab-ca.crt -CAkey homelab-ca.key -CAcreateserial -out "${DOMAIN}".crt -days 1825 -sha256
可选: 在你的浏览器导入Root CA .
安装Elasticsearch on Kubernetes
创建 logging namespace:
$ kubectl create namespace logging
创建一个secret 存储Elasticsearch credentials:
$ kubectl apply -f ./elastic-credentials-secret.yml
创建一个secret存储Elasticsearch SSL certificates. 我们使用 Root CA去签名这个certificate.
$ kubectl apply -f ./elastic-certificates-secret.yml
默认情况下,我们使用Base License时Elasticsearch 安全特性是关闭的.开启安全特性,我们将使用xpack.security.enabled设置.
为了在网络层开启TLS/SSL,用于Elasticsearch与其他客户端通讯,我们将使用xpack.security.http.ssl.enabled 设置.
创建elasticsearch值文件 values-elasticsearch.yml :
---
clusterName: "elasticsearch"
nodeGroup: "master"
roles:
master: "true"
ingest: "true"
data: "true"
remote_cluster_client: "true"
ml: "true"
replicas: 1
minimumMasterNodes: 1
protocol: https
httpPort: 9200
imagePullPolicy: "IfNotPresent"
extraEnvs:
- name: "ELASTIC_PASSWORD"
valueFrom:
secretKeyRef:
name: "elastic-credentials"
key: "password"
- name: "ELASTIC_USERNAME"
valueFrom:
secretKeyRef:
name: "elastic-credentials"
key: "username"
esConfig:
elasticsearch.yml: |
xpack.security.enabled: "true"
xpack.security.transport.ssl.enabled: "true"
xpack.security.transport.ssl.supported_protocols: "TLSv1.2"
xpack.security.transport.ssl.client_authentication: "none"
xpack.security.transport.ssl.key: "/usr/share/elasticsearch/config/certs/tls.key"
xpack.security.transport.ssl.certificate: "/usr/share/elasticsearch/config/certs/tls.crt"
xpack.security.transport.ssl.certificate_authorities: "/usr/share/elasticsearch/config/certs/homelab-ca.crt"
xpack.security.transport.ssl.verification_mode: "certificate"
xpack.security.http.ssl.enabled: "true"
xpack.security.http.ssl.client_authentication: "none"
accessModes: ["ReadWriteOnce"]
requests:
storage: 64Gi
service:
enabled: true
labels: {}
labelsHeadless: {}
type: LoadBalancer
nodePort: ""
annotations: {}
httpPortName: https
transportPortName: transport
loadBalancerIP: "10.11.1.59"
loadBalancerSourceRanges: []
externalTrafficPolicy: ""
clusterHealthCheckParams: "wait_for_status=yellow&timeout=2s"
部署一个单节点Elasticsearch开启认证、TLS证书和自定义值:
$ helm upgrade --install elasticsearch \ elastic/elasticsearch \ --namespace logging \ --version "7.17.1" \ --values ./values-elasticsearch.yml
Elasticsearch endpoint 将在https://10.11.1.59:9200/生效.
你可以使用curl测试:
$ curl -sk -u "username:password" https://10.11.1.59:9200/ | jq
{
"name": "elasticsearch-master-0",
"cluster_name": "elasticsearch",
"cluster_uuid": "t6rPuP6NSn6IDaW98J0VWw",
"version": {
"number": "7.17.1",
"build_flavor": "default",
"build_type": "docker",
"build_hash": "e5acb99f822233d62d6444ce45a4543dc1c8059a",
"build_date": "2022-02-23T22:20:54.153567231Z",
"build_snapshot": false,
"lucene_version": "8.11.1",
"minimum_wire_compatibility_version": "6.8.0",
"minimum_index_compatibility_version": "6.0.0-beta1"
},
"tagline": "You Know, for Search"
}
安装Kibana on Kubernetes
创建一个Kibana值文件values-kibana.yml :
---
elasticsearchHosts: "https://elasticsearch-master:9200"
replicas: 1
protocol: https
httpPort: 5601
imagePullPolicy: "IfNotPresent"
extraEnvs:
- name: "NODE_OPTIONS"
value: "--max-old-space-size=1800"
- name: "ELASTICSEARCH_USERNAME"
valueFrom:
secretKeyRef:
name: "elastic-credentials"
key: "username"
- name: "ELASTICSEARCH_PASSWORD"
valueFrom:
secretKeyRef:
name: "elastic-credentials"
key: "password"
kibanaConfig:
kibana.yml: |
server.ssl:
enabled: "true"
key: "/usr/share/kibana/config/certs/tls.key"
certificate: "/usr/share/kibana/config/certs/tls.crt"
certificateAuthorities: [ "/usr/share/kibana/config/certs/homelab-ca.crt" ]
clientAuthentication: "none"
supportedProtocols: [ "TLSv1.2", "TLSv1.3" ]
elasticsearch.ssl:
certificateAuthorities: [ "/usr/share/kibana/config/certs/homelab-ca.crt" ]
verificationMode: "certificate"
newsfeed.enabled: "false"
telemetry.enabled: "false"
telemetry.optIn: "false"
secretMounts:
- name: "elastic-certificates"
secretName: "elastic-certificates"
path: "/usr/share/kibana/config/certs"
defaultMode: "0755"
resources:
requests:
cpu: "55m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "2Gi"
service:
type: LoadBalancer
loadBalancerIP: "10.11.1.58"
port: 5601
nodePort: ""
labels: {}
annotations: {}
loadBalancerSourceRanges: []
httpPortName: http
部署Kibana 使用认证和TLS去连接Elasticsearch:
$ helm upgrade --install kibana \ elastic/kibana \ --namespace logging \ --version "7.17.1" \ --values ./values-kibana.yml
Kibana endpoint 将在https://10.11.1.58:5601/生效.
校验这些pods在running状态:
$ kubectl get po -n logging NAME READY STATUS RESTARTS AGE elasticsearch-master-0 1/1 Running 0 23h kibana-kibana-5d8dc78bfb-4fqr2 1/1 Running 0 23h
校验services:
$ kubectl get svc -n logging NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE elasticsearch-master LoadBalancer 10.105.182.194 10.11.1.59 9200:31657/TCP,9300:32405/TCP 3d22h elasticsearch-master-headless ClusterIP None none 9200/TCP,9300/TCP 3d22h kibana-kibana LoadBalancer 10.105.176.223 10.11.1.58 5601:31251/TCP 3d21h
参考文献
https://www.elastic.co/guide/en/elasticsearch/reference/7.17/configuring-stack-security.html
https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-settings.html
This entry was posted in Kubernetes and tagged Elasticsearch, helm, homelab, Kibana, Kubernetes. Bookmark the permalink. If you notice any errors, please contact us. 标签:https,Kubernetes,Kibana,elasticsearch,kibana,key,Elasticsearch,security From: https://www.cnblogs.com/gongzb/p/17609781.html