.png)
k8s上搭建elasticsearch7.16.2集群及配置X-Pack认证
🍇 配置storageclass,用于动态创建pvc,并自动绑定pv
这里我用ceph,需要自己准备存储
🥭 部署elasticsearch集群
🍍构建es镜像
[root@k8s-master1 dockerfile]# vim elasticsearch.yml
cluster.name: "es-cluster"
network.host: 0.0.0.0
xpack.security.enabled: "true"
xpack.security.transport.ssl.enabled: "true"
xpack.security.transport.ssl.verification_mode : certificate
xpack.security.transport.ssl.certificate_authorities : /usr/share/elasticsearch/config/certs/ca.crt
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/tls.crt
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/tls.key
# cat dockerfile
FROM elasticsearch:7.16.2
ADD elasticsearch.yml /usr/share/elasticsearch/config/
[root@k8s-master1 dockerfile]# docker build -f Dockerfile-es -t core.harbor.domain/test/elasticsearch:7.16.2 .
docker push core.harbor.domain/test/elasticsearch:7.16.2
🥑 创建自签证书,并创建k8s的secret资源对象
mkdir crt && cd crt
openssl req -x509 -sha256 -nodes -newkey rsa:4096 -days 732 -keyout tls.key -out tls.crt
Generating a 4096 bit RSA private key
....++
................................................................................................................................................++
writing new private key to 'tls.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@17s crt]# ll
total 8
-rw-r--r-- 1 root root 1911 Mar 23 09:12 tls.crt
-rw-r--r-- 1 root root 3272 Mar 23 09:12 tls.key
kubectl create secret -n es7-cluster generic quickstart-es-cert --from-file=ca.crt=tls.crt --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key
tls.key=tls.key
secret/quickstart-es-cert created
🍒 创建es-svc和sts服务
---
kind: Service
apiVersion: v1
metadata:
name: elasticsearch
namespace: es7-cluster
labels:
app: elasticsearch
spec:
selector:
app: elasticsearch
type: NodePort
ports:
- port: 9200
targetPort: 9200
nodePort: 31920
name: rest
- port: 9300
targetPort: 9300
name: inter-node
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: elasticsearch-master
namespace: es7-cluster
spec:
serviceName: elasticsearch
replicas: 3
selector:
matchLabels:
app: elasticsearch
template:
metadata:
labels:
app: elasticsearch
spec:
schedulerName: default-scheduler
initContainers:
- name: increase-vm-max-map
image: busybox
imagePullPolicy: IfNotPresent
resources:
requests:
memory: 2Gi
cpu: 1.0
limits:
memory: 4Gi
cpu: 2.0
command: ["sysctl", "-w", "vm.max_map_count=262144"]
securityContext:
privileged: true
- name: increase-fd-ulimit
image: busybox
imagePullPolicy: IfNotPresent
command: ["sh", "-c", "ulimit -n 65536"]
securityContext:
privileged: true
containers:
- name: elasticsearch
image: core.harbor.domain/test/elasticsearch:7.16.2
imagePullPolicy: IfNotPresent
ports:
- name: rest
containerPort: 9200
- name: inter
containerPort: 9300
volumeMounts:
- name: es-master-data
mountPath: /usr/share/elasticsearch/data
- name: ca
mountPath: /usr/share/elasticsearch/config/certs
env:
- name: cluster.name
value: k8s-logs
- name: node.name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: cluster.initial_master_nodes
value: "elasticsearch-master-0,elasticsearch-master-1,elasticsearch-master-2"
- name: discovery.zen.minimum_master_nodes
value: "2"
- name: discovery.seed_hosts
value: "elasticsearch"
- name: ES_JAVA_OPTS
value: "-Xms8g -Xmx8g"
- name: network.host
value: "0.0.0.0"
volumes:
- name: ca
secret:
secretName: quickstart-es-cert
volumeClaimTemplates:
- metadata:
name: es-master-data
labels:
app: elasticsearch
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: rook-cephfs
resources:
requests:
storage: 20Gi
[root@17s esxpack]# kubectl get po -n es7-cluster
NAME READY STATUS RESTARTS AGE
elasticsearch-master-0 1/1 Running 0 111s
elasticsearch-master-1 1/1 Running 0 87s
elasticsearch-master-2 1/1 Running 0 53s
🍅 配置es集群密码
密码全部123456 账号密码:elastic 123456
[root@17s esxpack]# kubectl exec -it -n es7-cluster elasticsearch-master-0 -- /bin/sh
sh-5.0# ls
LICENSE.txt NOTICE.txt README.asciidoc bin config data jdk lib logs modules plugins
sh-5.0# bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
sh-5.0#
🍄安装goolge Chrome es-client 访问
[root@17s esxpack]# kubectl get svc -n es7-cluster
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elasticsearch NodePort 10.100.135.240 <none> 9200:31920/TCP,9300:30704/TCP 20m
🍇 部署kibana
🍅 创建secret 存储密码
kubectl -n es7-cluster create secret generic elasticsearch-password --from-literal password=123456
🥑 创建kibana-deploy.yaml
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: es7-cluster
name: kibana-config
labels:
app: kibana
data:
kibana.yml: |-
server.name: kibana
server.host: "0.0.0.0"
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
xpack.monitoring.ui.container.elasticsearch.enabled: true
server.port: 5601
kibana.index: ".kibana"
elasticsearch.username: "elastic"
elasticsearch.password: "123456"
i18n.locale: "zh-CN"
---
apiVersion: v1
kind: Service
metadata:
name: kibana
namespace: es7-cluster
labels:
app: kibana
spec:
selector:
app: kibana
type: NodePort
ports:
- port: 5601
protocol: TCP
targetPort: 5601
name: http
nodePort: 30802
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kibana
namespace: es7-cluster
labels:
app: kibana
spec:
replicas: 1
selector:
matchLabels:
app: kibana
template:
metadata:
labels:
app: kibana
spec:
containers:
- name: kibana
image: docker.elastic.co/kibana/kibana:7.6.2
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 1000m
requests:
cpu: 100m
ports:
- containerPort: 5601
volumeMounts:
- name: kibana-config
mountPath: /usr/share/kibana/config/kibana.yml
readOnly: true
subPath: kibana.yml
volumes:
- name: kibana-config
configMap:
name: kibana-config
kubectl apply -f kibana-deploy.yaml
🍓访问elastic
[root@17s esxpack]# kubectl get svc -n es7-cluster
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elasticsearch NodePort 10.100.135.240 <none> 9200:31920/TCP,9300:30704/TCP 41m
kibana NodePort 10.96.9.76 <none> 5601:30802/TCP 5s
评论区