Каталог статей
Поскольку я использовал helm для развертывания EFK раньше, я чувствовал себя немного оцепеневшим в этом процессе. Поэтому я написал работу на ветке 7.16 helm-charts, чтобы логин, пароль и ssl-сертификат автоматически генерировались и создавали секрет в k8s. Таким образом, ssl включен по умолчанию во время развертывания.
helm-charts: Изменения в ветке 7.16 носят исключительно личный интерес и предназначены только для справки.
В официальных эластичных/хелм-чартах также реализована функция автоматической генерации сертификатов в последних изменениях.
скачать графики
$ git clone https://github.com/cloudenmin/helm-charts.git
$ git checkout 7.16
эластичный поиск
values.yaml
имя пользователя по умолчанию: эластичный
пароль по умолчанию: P@ssw0rD
security:
username: "elastic"
password: "P@ssw0rD"
развернуть
$ cd elasticsearch
$ helm install elasticsearch . -n efk --create-namespace
Результат развертывания:
$ kubectl get pod -n efk
NAME READY STATUS RESTARTS AGE
elasticsearch-master-0 1/1 Running 0 2m
elasticsearch-master-1 1/1 Running 0 2m
elasticsearch-master-2 1/1 Running 0 2m
Департамент Кибана
Изменить значения.yaml
elasticsearchHosts: "https://elasticsearch-master-headless.efk.svc.cluster.local:9200"
Департамент Кибана
$ cd kibana
$ helm install kibana . -n efk
Результат развертывания:
NAME READY STATUS RESTARTS AGE
elasticsearch-master-0 1/1 Running 0 13m
elasticsearch-master-1 1/1 Running 0 13m
elasticsearch-master-2 1/1 Running 0 13m
kibana-79465dfb9f-chxft 1/1 Running 0 72s
Посетите https://${host_ip}:30601
изменения файла
Создал задание.yaml
{
{
- if .Values.security.enable }}
{
{
- $serviceAccountName := .Values.security.rbac.serviceAccountName }}
---
# 因为涉及到secret的操作,所以创建了一个新的seviceaccount,并赋予相关权限
apiVersion: v1
kind: ServiceAccount
metadata:
name: {
{
$serviceAccountName }}
namespace: {
{
.Release.Namespace }}
labels:
heritage: {
{
.Release.Service | quote }}
release: {
{
.Release.Name | quote }}
chart: "{
{ .Chart.Name }}"
app: "{
{
template "elasticsearch.uname" . }}"
annotations:
"helm.sh/hook": pre-install,post-delete
"helm.sh/hook-weight": "-7"
"helm.sh/hook-delete-policy": before-hook-creation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {
{
$serviceAccountName }}
namespace: {
{
.Release.Namespace }}
labels:
heritage: {
{
.Release.Service | quote }}
release: {
{
.Release.Name | quote }}
chart: "{
{ .Chart.Name }}"
app: "{
{
template "elasticsearch.uname" . }}"
annotations:
"helm.sh/hook": pre-install,post-delete
"helm.sh/hook-weight": "-6"
"helm.sh/hook-delete-policy": before-hook-creation
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- create
- update
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {
{
$serviceAccountName }}
namespace: {
{
.Release.Namespace }}
labels:
heritage: {
{
.Release.Service | quote }}
release: {
{
.Release.Name | quote }}
chart: "{
{ .Chart.Name }}"
app: "{
{
template "elasticsearch.uname" . }}"
annotations:
"helm.sh/hook": pre-install,post-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {
{
$serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {
{
$serviceAccountName }}
namespace: {
{
.Release.Namespace }}
---
# 执行一个job,创建用户及证书相关secret
# job在执行完成后自动删除。
apiVersion: batch/v1
kind: Job
metadata:
name: elastic-security-config
namespace: {
{
.Release.Namespace | quote }}
annotations:
"helm.sh/hook": pre-install,post-delete
"helm.sh/hook-weight": "-4"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
heritage: {
{
.Release.Service | quote }}
release: {
{
.Release.Name | quote }}
chart: "{
{ .Chart.Name }}"
app: "{
{
template "elasticsearch.uname" . }}"
spec:
ttlSecondsAfterFinished: 100
template:
spec:
serviceAccountName: {
{
$serviceAccountName }}
restartPolicy: OnFailure
containers:
- name: create-security-config
image: "{
{ .Values.image }}:{
{ .Values.imageTag }}"
imagePullPolicy: "{
{ .Values.imagePullPolicy }}"
env:
- name: USERNAME
value: {
{
.Values.security.username | b64enc}}
- name: PASSWORD
value: {
{
.Values.security.password | b64enc}}
- name: NAMESPACE
value: {
{
.Release.Namespace }}
command:
{
{
toYaml .Values.security.command | indent 12 -}}
{
{
- end }}
Сценарий, выполняемый заданием:
определен в values.yaml
security:
command:
- bash
- -c
- |
#!/bin/bash
KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
KUBE_CERT='/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
SECRET_URL=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets
delete_secret(){
if [ $(curl -sw '%{
http_code}' --cacert ${
KUBE_CERT} -X GET $SECRET_URL/$1 -H 'Content-Type: application/json' -H 'Authorization: Bearer '${
KUBE_TOKEN} -o /dev/null) -eq 200 ]; then
if [ $(curl -sw '%{
http_code}' --cacert ${
KUBE_CERT} -X DELETE $SECRET_URL/$1 -H 'Content-Type: application/json' -H 'Authorization: Bearer '${
KUBE_TOKEN} -o /dev/null) -eq 200 ]; then
echo "deleting "$1" successfully!"
fi
else
echo $1" does not exist"
fi
}
# 删除旧的secret
delete_secret elastic-credentials
delete_secret elastic-certificates
delete_secret elastic-certificate-pem
delete_secret elastic-certificate-crt
elasticsearch-certutil ca --out elastic-stack-ca.p12 --pass ''
elasticsearch-certutil cert --name security-master --dns security-master --ca elastic-stack-ca.p12 --pass '' --ca-pass '' --out elastic-certificates.p12
openssl pkcs12 -nodes -passin pass:'' -in elastic-certificates.p12 -out elastic-certificate.pem
openssl x509 -outform der -in elastic-certificate.pem -out elastic-certificate.crt
create_user_secret(){
DATA='{
"apiVersion":"v1","kind":"Secret","type":"Opaque","metadata":{
"name":"elastic-credentials","namespace":"'${NAMESPACE}'"},"data":{
"password":"'${PASSWORD}'","username":"'${USERNAME}'"}}'
HTTP_CODE=$(curl -sw '%{
http_code}' --cacert ${
KUBE_CERT} -X POST $SECRET_URL -H 'Content-Type: application/json' -H 'Authorization: Bearer '${
KUBE_TOKEN} -d $DATA -o /dev/null)
if [ $HTTP_CODE -eq 201 ]; then
echo $HTTP_CODE": creating elastic-credentials successfully!"
else
echo $HTTP_CODE": failed to create elastic-credentials!"
fi
}
# 创建用户名密码
create_user_secret
create_certifcate_secret(){
DATA='{
"apiVersion":"v1","kind":"Secret","type":"Opaque","metadata":{
"name":"'$1'","namespace":"'${NAMESPACE}'"},"data":{
"'$2'":"'$(cat $2 | base64 -w0)'"}}'
HTTP_CODE=$(curl -sw '%{
http_code}' --cacert ${
KUBE_CERT} -X POST $SECRET_URL -H 'Content-Type: application/json' -H 'Authorization: Bearer '${
KUBE_TOKEN} -d $DATA -o /dev/null)
if [ $HTTP_CODE -eq 201 ]; then
echo $HTTP_CODE": creating "$1" successfully!"
else
echo $HTTP_CODE": failed to create a "$1"!"
fi
}
# 创建证书
create_certifcate_secret elastic-certificates elastic-certificates.p12
create_certifcate_secret elastic-certificate-pem elastic-certificate.pem
create_certifcate_secret elastic-certificate-crt elastic-certificate.crt