目录
二、部署elasticsearch集群:
1、部署elasticsearch集群:
apiVersion: v1
kind: Service
metadata:
name: elasticsearch
namespace: sit
spec:
selector:
app: elasticsearch
type: ClusterIP
ports:
- port: 9200
name: es-9200
targetPort: 9200
- port: 9300
name: es-9300
targetPort: 9300
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: es7-cluster
namespace: sit
spec:
serviceName: elasticsearch
replicas: 3
selector:
matchLabels:
app: elasticsearch
template:
metadata:
labels:
app: elasticsearch
spec:
containers:
- name: elasticsearch
image: dockerhub.jiang.com/jiang-public/elasticsearch:7.9.3
resources:
limits:
cpu: 1000m
requests:
cpu: 100m
ports:
- containerPort: 9200
name: rest
protocol: TCP
- containerPort: 9300
name: inter-node
protocol: TCP
volumeMounts:
- name: data
mountPath: /usr/share/elasticsearch/data
env:
- name: cluster.name
value: k8s-logs
- name: node.name
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: discovery.zen.minimum_master_nodes
value: "2"
- name: discovery.seed_hosts
value: "es7-cluster-0.elasticsearch,es7-cluster-1.elasticsearch,es7-cluster-2.elasticsearch"
- name: cluster.initial_master_nodes
value: "es7-cluster-0,es7-cluster-1,es7-cluster-2"
- name: ES_JAVA_OPTS
value: "-Xms1g -Xmx1g"
initContainers:
- name: fix-permissions
image: dockerhub.jiang.com/system_containers/busybox:latest
command: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"]
securityContext:
privileged: true
volumeMounts:
- name: data
mountPath: /usr/share/elasticsearch/data
- name: increase-vm-max-map
image: dockerhub.jiang.com/system_containers/busybox:latest
command: ["sysctl", "-w", "vm.max_map_count=262144"]
securityContext:
privileged: true
- name: increase-fd-ulimit
image: dockerhub.jiang.com/system_containers/busybox:latest
command: ["sh", "-c", "ulimit -n 65536"]
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "huawei-san" #根据实际情况而定
resources:
requests:
storage: 1Gi
[root@master-01 xhj]# kubectl apply -f elasticsearch.yaml
service/elasticsearch created
statefulset.apps/es7-cluster created
[root@master-01 xhj]# k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elasticsearch ClusterIP 172.44.255.234 <none> 9200/TCP,9300/TCP 43s
mysql ClusterIP None <none> 3306/TCP,9125/TCP 48d
[root@master-01 xhj]# k get sts
NAME READY AGE
es7-cluster 1/3 47s
[root@master-01 xhj]# k get sts
NAME READY AGE
es7-cluster 3/3 2m12s
2、验证elasticsearch集群是否正常:
[root@master-01 xhj]# curl http://172.44.255.234:9200/
{
"name" : "es7-cluster-2",
"cluster_name" : "k8s-logs",
"cluster_uuid" : "VeyRUKdwTHu5lySgV3XJVw",
"version" : {
"number" : "7.9.3",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "c4138e51121ef06a6404866cddc601906fe5c868",
"build_date" : "2020-10-16T10:36:16.141335Z",
"build_snapshot" : false,
"lucene_version" : "8.6.2",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
三、部署elasticsearch集群并设置用户密码
1、生产elastic集群所需的证书:
[root@master-01 ~]# docker run -it -d --name es-tls dockerhub.jiang.com/jxstjh-public/elasticsearch:7.9.3 /bin/bash
3dff79f1de6f7e3ba83db4b1af2d079e20589d57b028156473cba1b3346f6bbb
[root@master-01 ~]# docker exec -it es-tls /bin/bash
[root@3dff79f1de6f elasticsearch]# pwd
/usr/share/elasticsearch
[root@3dff79f1de6f elasticsearch]# ./bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'cert' mode generates X.509 certificate and private keys.
* By default, this generates a single certificate and key for use
on a single instance.
* The '-multiple' option will prompt you to enter details for multiple
instances and will generate a certificate and key for each one
* The '-in' option allows for the certificate generation to be automated by describing
the details of each instance in a YAML file
* An instance is any piece of the Elastic Stack that requires an SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* All certificates generated by this tool will be signed by a certificate authority (CA).
* The tool can automatically generate a new CA for you, or you can provide your own with the
-ca or -ca-cert command line options.
By default the 'cert' mode produces a single PKCS#12 output file which holds:
* The instance certificate
* The private key for the instance certificate
* The CA certificate
If you specify any of the following options:
* -pem (PEM formatted output)
* -keep-ca-key (retain generated CA key)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Certificates written to /usr/share/elasticsearch/config/elastic-certificates.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.[root@master-01 ~]# docker cp es-tls:/usr/share/elasticsearch/config/elastic-certificates.p12 /xhj/elastic-certificates.p122、重新建构elasticsearch镜像:
FROM dockerhub.jiang.com/jxstjh-public/elasticsearch:7.9.3
MAINTAINER jiang
LABEL maintainer="jiang"
COPY elastic-certificates.p12 /usr/share/elasticsearch/config/
RUN chown 1000:0 /usr/share/elasticsearch/config/elastic-certificates.p12
EXPOSE 9200 9300
CMD ["eswrapper"][root@master-01 xhj]# docker build -t dockerhub.jiang.com/jxstjh-public/elasticsearch:7.9.3-p12 .
Sending build context to Docker daemon 127.5MB
Step 1/7 : FROM dockerhub.jiang.com/jiang-public/elasticsearch:7.9.3
---> 1ab13f928dc8
Step 2/7 : MAINTAINER jiang
---> Running in beba0ca606a4
Removing intermediate container beba0ca606a4
---> 4a4003bf74c9
Step 3/7 : LABEL maintainer="jiang"
---> Running in b1e0c1168982
Removing intermediate container b1e0c1168982
---> c5eba7158904
Step 4/7 : COPY elastic-certificates.p12 /usr/share/elasticsearch/config/
---> 7b4dab67c080
Step 5/7 : RUN chown 1000:0 /usr/share/elasticsearch/config/elastic-certificates.p12
---> Running in cb8f9383fa70
Removing intermediate container cb8f9383fa70
---> 071eb2ce173e
Step 6/7 : EXPOSE 9200 9300
---> Running in 5ca429e2b39e
Removing intermediate container 5ca429e2b39e
---> cfc9b0b05386
Step 7/7 : CMD ["eswrapper"]
---> Running in abbf96c90588
Removing intermediate container abbf96c90588
---> 9b6304124b9b
Successfully built 9b6304124b9b
Successfully tagged dockerhub.jiang.com/jiang-public/elasticsearch:7.9.3-p123、部署elasticsearch集群:
apiVersion: v1
kind: Service
metadata:
name: elastic-svc #这里根据名称而定
namespace: sit #根据所在命名空间
labels:
app: elastic-cluster
spec:
selector:
app: elastic-cluster
type: ClusterIP
ports:
- name: rest-api
port: 9200
protocol: TCP
targetPort: 9200
- name: inter-node
port: 9300
protocol: TCP
targetPort: 9300
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: elastic-cluster #根据实际情况调整
namespace: sit #根据所在命名空间
labels:
app: elastic-cluster
spec:
serviceName: elastic-svc #要跟上吗的service的名称对齐
replicas: 3
selector:
matchLabels:
app: elastic-cluster
kubernetes.io/cluster-service: "true"
template:
metadata:
labels:
app: elastic-cluster
kubernetes.io/cluster-service: "true"
spec:
initContainers:
- name: fix-permissions
image: dockerhub.jiang.com/system_containers/busybox:latest #根据镜像所在位置进行调整
imagePullPolicy: IfNotPresent
command: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"]
securityContext:
privileged: true
volumeMounts:
- name: data
mountPath: /usr/share/elasticsearch/data
- name: localtime
readOnly: true
mountPath: /etc/localtime
- name: increase-vm-max-map
image: dockerhub.jiang.com/system_containers/busybox:latest #根据镜像所在位置进行调整
imagePullPolicy: IfNotPresent
command: ["sysctl", "-w", "vm.max_map_count=262144"]
securityContext:
privileged: true
- name: increase-fd-ulimit
image: dockerhub.jiang.com/system_containers/busybox:latest #根据镜像所在位置进行调整
imagePullPolicy: IfNotPresent
command: ["sh", "-c", "ulimit -n 65536"]
volumes:
- name: localtime
hostPath:
path: /etc/localtime
type: ''
containers:
- name: elasticsearch
image: dockerhub.jiang.com/jiang-public/elasticsearch:7.9.3-p12 #根据镜像所在位置进行调整
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9200
name: rest-api
protocol: TCP
- containerPort: 9300
name: inter-node
protocol: TCP
volumeMounts:
- name: data
mountPath: /usr/share/elasticsearch/data
- name: localtime
readOnly: true
mountPath: /etc/localtime
env:
- name: node.name
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: discovery.zen.minimum_master_nodes
value: "2"
- name: discovery.seed_hosts
value: "elastic-svc" #要跟上吗的service名称对齐
- name: cluster.initial_master_nodes
value: "elastic-cluster-0,elastic-cluster-1,elastic-cluster-2" #根据集群名称进行调整
- name: ES_JAVA_OPTS
value: "-Xms1024m -Xmx1024m" #这里根据业务需求而定,要求是要一样的配置大小
- name: xpack.security.enabled
value: "true"
- name: xpack.security.transport.ssl.enabled
value: "true"
- name: xpack.security.transport.ssl.verification_mode
value: "certificate"
- name: xpack.security.transport.ssl.keystore.path
value: "elastic-certificates.p12"
- name: xpack.security.transport.ssl.truststore.path
value: "elastic-certificates.p12"
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "huawei-san" #根据实际情况调整
resources:
requests:
storage: 2Gi
验证elasticsearch集群运行情况:
4、设置elasticsearch集群的密码:
# kubectl exec -it -n sit pods/elastic-cluster-0 -- /bin/bash./bin/elasticsearch-setup-passwords interactive
5、测试验证elasticsearch集群的认证:
[root@master-01 ~]# k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elastic-svc ClusterIP 172.34.44.86 <none> 9200/TCP,9300/TCP 16m
mysql ClusterIP None <none> 3306/TCP,9125/TCP 48d
[root@master-01 ~]# curl http://172.34.44.86:9200/
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}[root@stcs-master-01 ~]#[root@master-01 ~]# curl --user elastic http://172.34.44.86:9200/
Enter host password for user 'elastic':
{
"name" : "elastic-cluster-1",
"cluster_name" : "docker-cluster",
"cluster_uuid" : "O-M9L7gfQBagxQxIBMjXIQ",
"version" : {
"number" : "7.9.3",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "c4138e51121ef06a6404866cddc601906fe5c868",
"build_date" : "2020-10-16T10:36:16.141335Z",
"build_snapshot" : false,
"lucene_version" : "8.6.2",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
