Myluzh Blog

K8S部署Elasticsearch开启X-Pack安全认证

发布时间: 2024-9-14 文章作者: myluzh 分类名称: Kubernetes 朗读文章


0x00 制作带有证书的镜像
基于 Elasticsearch 的官方镜像创建一个新的自定义镜像,将证书文件包含在内。
1、生成证书
# 创建一个es-temp容器,生成elastic-certificates.p12
docker run -it --name es-temp elasticsearch:7.17.24 bash -c "bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass '' && ls -l config/elastic-certificates.p12"

# 把es-temp里面的elastic-certificates.p12复制到本地来
docker cp es-temp:/usr/share/elasticsearch/config/elastic-certificates.p12 ./elastic-certificates.p12
2、构建镜像
FROM elasticsearch:7.17.24
LABEL maintainer="myluzh <myluzh@qq.com>"
COPY elastic-certificates.p12 /usr/share/elasticsearch/config/
RUN  chown 1000:0 /usr/share/elasticsearch/config/elastic-certificates.p12
EXPOSE 9200 9300
docker build -t elasticsearch:7.17.24-p12 .
3、上传镜像到harbor私有仓
docker tag elasticsearch:7.17.24-p12 172.30.82.223:5443/base/elasticsearch:7.17.24-p12
docker push 172.30.82.223:5443/base/elasticsearch:7.17.24-p12
---
注意:这样做的好处可以直接把证书塞到容器内,也可以把p12证书通过secret存储在集群中,在pod中调用secret。
kubectl create secret generic es-cert --from-file=elastic-certificates.p12 --namespace my-namespace

0x01 部署Elasticsearch单节点
这边没有做持久化,如果需要做数据持久化需要把容器里面的/usr/share/elasticsearch/data挂载出来。
1、部署 elasticsearch_single_node.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: elasticsearch-config
  namespace: default
data:
  elasticsearch.yml: |
    # 单节点
    discovery.type: single-node
    http.cors.allow-origin: '*'
    http.cors.enabled: true
    network.host: 0.0.0.0
    # 启用X-Pack安全功能
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: elasticsearch
  namespace: default
spec:
  serviceName: "elasticsearch"
  replicas: 1
  selector:
    matchLabels:
      app: elasticsearch
  template:
    metadata:
      labels:
        app: elasticsearch
    spec:
      containers:
      - name: elasticsearch
        image: 172.30.82.223:5443/base/elasticsearch:7.17.24-p12
        ports:
        - containerPort: 9200
          name: es9200
        - containerPort: 9300
          name: es9300
        env:
        - name: ES_JAVA_OPTS
          value: -Xms2g -Xmx2g
        volumeMounts:
        - name: config-volume
          mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
          subPath: elasticsearch.yml
      volumes:
      - name: config-volume
        configMap:
          name: elasticsearch-config
---
apiVersion: v1
kind: Service
metadata:
  name: elasticsearch
  namespace: default
spec:
  clusterIP: None
  ports:
    - name: http
      port: 9200
      targetPort: 9200
    - name: transport
      port: 9300
      targetPort: 9300
  selector:
    app: elasticsearch
2、进入es容器内,设置密码
# 手动设置密码
./bin/elasticsearch-setup-passwords interactive
# 自动设置密码
./bin/elasticsearch-setup-passwords auto

Please confirm that you would like to continue [y/N]y
...
Changed password for user elastic
PASSWORD elastic = tVUsASb07cRYc3etwNyv
3、在集群内测试es连通性
[root@centos-test-5b7765fcbd-76vzc /]# curl -u elastic:tVUsASb07cRYc3etwNyv http://elasticsearch.default.svc.cluster.local:9200/_cluster/health?pretty
{
  "cluster_name" : "elasticsearch",
  "status" : "green",
  ...
}

0x02 部署Elasticsearch集群
参考连接:https://blog.csdn.net/weixin_45813250/article/details/131026318
apiVersion: v1           # 创建命名空间
kind: Namespace
metadata:
  labels:
    app: es7-cluster
    kubernetes.io/name: "Elasticsearch"
  name: elastic-worker
---
apiVersion: v1             # 创建service 文件用于内部通讯
kind: Service
metadata:
  name: es7-headless
  namespace: elastic-worker
  labels:
    app: es7-cluster
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/name: "Elasticsearch"
spec:
  clusterIP: None
  publishNotReadyAddresses: true
  ports:
  - name: rest-api
    port: 9200
    targetPort: 9200
  - name: inter-node
    port: 9300
    targetPort: 9300
  selector:
    app: es7-cluster
---
apiVersion: v1             
kind: ServiceAccount
metadata:
  name: es7-cluster
  namespace: elastic-worker
  labels:
    app: es7-cluster
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: es7-cluster
  namespace: elastic-worker
  labels:
    app: es7-cluster
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups:
  - ""
  resources:
  - "services"
  - "namespaces"
  - "endpoints"
  verbs:
  - "get"
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: es7-cluster
  namespace: elastic-worker
  labels:
    app: es7-cluster
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
subjects:
- kind: ServiceAccount
  name: es7-cluster
  namespace: kube-system
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: es7-cluster
  apiGroup: ""
---
apiVersion: apps/v1             # 创建有状态的服务
kind: StatefulSet
metadata:
  name: es7-cluster
  namespace: elastic-worker
  labels:
    app: es7-cluster
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
    srv: srv-elasticsearch
spec:
  serviceName: es7-headless
  replicas: 3
  selector:
    matchLabels:
      app: es7-cluster
      kubernetes.io/cluster-service: "true"
  template:
    metadata:
      labels:
        app: es7-cluster
        kubernetes.io/cluster-service: "true"
    spec:
      serviceAccountName: es7-cluster
      containers:         # 主容器
      - name: elasticsearch
        image: e172.30.82.223:5443/base/elasticsearch:7.17.24-p12    # 自定义镜像,带有p12证书。
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 9200
          name: rest-api
          protocol: TCP
        - containerPort: 9300
          name: inter-node
          protocol: TCP
        volumeMounts:
        - name: data
          mountPath: /usr/share/elasticsearch/data
        - name: localtime
          readOnly: true
          mountPath: /etc/localtime
        env:
        - name: cluster.name
          value: "es7-cluster"
        - name: node.name
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: discovery.zen.minimum_master_nodes
          value: "2"
        - name: discovery.seed_hosts
          value: "es7-headless"
        - name: cluster.initial_master_nodes
          value: "es7-cluster-0,es7-cluster-1,es7-cluster-2"
        - name: ES_JAVA_OPTS
          value: "-Xms1g -Xmx1g"
        - name: xpack.security.enabled    # X-Pack 安全认证
          value: "true"
        - name: xpack.security.transport.ssl.enabled
          value: "true"
        - name: xpack.security.transport.ssl.verification_mode  # 证书校验类型
          value: "certificate"
        - name: xpack.security.transport.ssl.keystore.path    # 证书路径
          value: "elastic-certificates.p12"
        - name: xpack.security.transport.ssl.truststore.path
          value: "elastic-certificates.p12"
        - name: xpack.monitoring.ui.container.elasticsearch.enabled   # 生成并提供与容器相关的监控数据,待验证
          value: "true"
        #- name: reindex.remote.whitelist        # 设置同步白名单,可以用来数据迁移
        #  value: "192.168.10.13:9200"
      initContainers:        # 初始化容器
      - name: fix-permissions
        image: busybox
        imagePullPolicy: IfNotPresent
        command: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"]
        securityContext:
          privileged: true
        volumeMounts:
        - name: data
          mountPath: /usr/share/elasticsearch/data
        - name: localtime
          readOnly: true
          mountPath: /etc/localtime
      - name: increase-vm-max-map
        image: busybox
        imagePullPolicy: IfNotPresent
        command: ["sysctl", "-w", "vm.max_map_count=262144"]
        securityContext:
          privileged: true
      - name: increase-fd-ulimit
        image: busybox
        imagePullPolicy: IfNotPresent
        command: ["sh", "-c", "ulimit -n 65536"]
      volumes:
      - name: localtime
        hostPath:
          path: /etc/localtime
          type: ''
  volumeClaimTemplates:   
  - metadata:
      name: data
    spec:
      accessModes: [ "ReadWriteMany" ]
      # 使用的存储类名称,需要配置一个有效的存储类
      storageClassName: "managed-nfs-storage"
      resources:
        requests:
          storage: 2Gi
参考链接:
k8s部署Elasticsearch集群+Kibana方案--开启X-Pack 安全认证
https://blog.csdn.net/weixin_45813250/article/details/131026318

标签: k8s 部署 k8s部署 apply elasticsearch elasticsearch7 es 单节点

发表评论