一、elasticsearch集群(3节点)
- es宿主机配置
vim /etc/sysctl.conf
vm.max_map_count=262144
sysctl -p
mkdir /mnt/es_data && chmod 777 /mnt/es_data
- 创建pv-sc-es.yaml文件
apiVersion: v1
kind: PersistentVolume
metadata:
name: elasticsearch-pv0
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Delete
storageClassName: elasticsearch-storage
local:
path: /mnt/es_data
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: es
operator: In
values:
- pv0
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: elasticsearch-pv1
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Delete
storageClassName: elasticsearch-storage
local:
path: /mnt/es_data
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: es
operator: In
values:
- pv1
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: elasticsearch-pv2
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Delete
storageClassName: elasticsearch-storage
local:
path: /mnt/es_data
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: es
operator: In
values:
- pv2
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: elasticsearch-storage
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer
- 创建configmap-es.yaml文件
apiVersion: v1
kind: ConfigMap
metadata:
name: configmap-es
namespace: default
data:
network.host: "0.0.0.0"
cluster.name: "es-cluster"
elasticsearch.yml: |
cluster.name: es-cluster
network.host: "0.0.0.0"
http.port: 9200
transport.port: 9300
node.roles: [ingest,master,data]
discovery.seed_hosts: ["elasticsearch-0.elasticsearch.default.svc.cluster.local","elasticsearch-1.elasticsearch.default.svc.cluster.local","elasticsearch-2.elasticsearch.default.svc.cluster.local"]
cluster.initial_master_nodes: ["elasticsearch-0","elasticsearch-1","elasticsearch-2"]
search.allow_expensive_queries: true
ingest.geoip.downloader.enabled: false
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: /usr/share/elasticsearch/config/local-certs/http.p12
truststore.path: /usr/share/elasticsearch/config/local-certs/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: /usr/share/elasticsearch/config/local-certs/elastic-certificates.p12
truststore.path: /usr/share/elasticsearch/config/local-certs/elastic-certificates.p12
- 创建certificates-es.yaml
apiVersion: v1
kind: Secret
metadata:
name: es-certificates
namespace: default
data:
elastic-certificates.p12: MIIOCAIBAzCCDbIGCSqGSIb3DQEHAaCCDaMEgg2fMIINmzCCBbIGCSqGSIb3DQEHAaCCBaMEggWfMIIFmzCCBZcGCyqGSIb3DQEMCgECoIIFQDCCBTwwZgYJKoZIhvcNAQUNMFkwOAYJKoZIhvcNAQUMMCsEFGClS93vqESmC+OCWRtMPYGzrJDYAgInEAIBIDAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQHkL4LivEdofqoHkIT2NrfQSCBNCrXtsgZFrceo7tTAKkuo8A8jsa+DzBzzlHmZfDfs2KotuDbcL+bVNuZ2DQF9atXvoeE9jzhYGHso1JtXpKEpszaB49gnDujqRwCiJa+cWk8NxUz9uNFMAQe8YHUXBp231SMmvcAY03kk3uQFM2pfQmXmMIy0BcUPNu4Low24tUH6oiVzJp8rCS4fYkM2U2VN5vXpAr9crE25ctL+k1o6d9z19HBes8dLiEwH+oT4bdEf0i9kNzwe324MTtznnKH2fl3JClKz+GV5l3eTqj8gH4dDn6IyLZtT5OaV9fG8VAn5ZLdQnP5xQPpx1PJpz6ld+3/MyO9aQrTTA7NBQ7mZPl5CQziGxlisV+0c8RYYBkCfpBlDWREuyz2nHfAr9xUDXDEAZmr3hpvhXK806WdRS89yjPe7tukzHS/fnIhbS9ej8Em6oZ2nSdUnghsNEJEuyphap4b8aStq1i2MLY+EZcuJ7Wp0n7VOeA+ShNb9QZsNllwJG2f3GlkO//PWlj1/KDgIhqT8y/bgGS1GNkRj/zzV69DLhxeHeGip9rh62PXwDCPuu8qFHFMp6Ko4aLHtc+iYLzPcy3fpK9z65vls2OIEY6kZ6TjxBpq0vFR2Ct6R1oMqaOcnERyRlSWi38t92YYFSpM0qdLWiose+nTK8k+MEwZ8GfdwC/l4HPCHBBucsL53wyJG6o4uqIqp0g+2nClMbJAQGHKgck7Ggr+uIf7H4np69E4NlPcToHXoXkVCcVz6X3Ig1jt3wlsMXqkSJgJf5g/GyN6LfVq7W/aOhxQz7eYmT4oXtFbk0I5XVJPx9TP2vio/IVvpTn8hQdvSOE++bKS+mc5xCt8H8UTzoQltiGpGLj3rk/8mnz1BDiAo96v+WKl5eloKCt6tZ54EBiccI1QG7Faop6ZBZwvR8hopT0wNmRfyjR4hO5Qpraxwr/YSW4KY52DwgS+/FY4wIc+zQFVXYL1bawaYBQ0+I7pN28P3eMlo6yTn5cBNMycFXG1b+H9e+aL5LMi84ipSEH1HeGentu32AEKC1xKW0echEHffuRw9dx0Jca5G8b6/QZikkvJAtqf2zy8Rzziidp8RYs2q5d/iHODayS3PtUv9oNJTQO/zIb9pkqpDYIcFQBN4HPLY/fhNDObcc2NSMH4WLgCcaGfEI0wDH1evP8AJVXeT+9k/zH3zXIuMVPYqMppAh1UIONYXPV0ihtxoWROF/Zu13Rhe3XLx0nownFyIiQyt6utWyWifYzFHyOj9q35aJXkrIVfxsPXn8hMwu/agurc8GE//i5Gp0/oTWzpbmJ3iBYiqsvuG+cpqSy4sGdW9OTgnNKfZM2haRrRWoT7RP28QL4S8gZyKFXCLtehUxkFRvRZhHEZ2vOFQY2Na8K8QeVOGL4tfYb5YL+CXPX5/w45uDy4+rNlyzNM0hfljKMTTXTQqaz1kdjZ2KRTexJ35gdwOf3ZwNKWxKx7fqcLnJ5Wd22t4Gpm/3kAzIpyeeFDfyIaed2JI2/66V1/Km7UA2d38hOtVngSqOSyiYoI37lVX6iYQg0K7xX5toCX6jnm23izr32cB3nhQhIdiy2l5yaoHHcpqbtT4L1jAaN7NEcDfgJ3T7IEcAJpRISeGXWUlAKFHX9kNMfs3Ob+zFEMB8GCSqGSIb3DQEJFDESHhAAaQBuAHMAdABhAG4AYwBlMCEGCSqGSIb3DQEJFTEUBBJUaW1lIDE3NDIzNzA4MzUyMDcwggfhBgkqhkiG9w0BBwagggfSMIIHzgIBADCCB8cGCSqGSIb3DQEHATBmBgkqhkiG9w0BBQ0wWTA4BgkqhkiG9w0BBQwwKwQUGO77FqSsJ70RP3U7MM4r72A1tUYCAicQAgEgMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDa96ZpSQ5/ZWZCEfUngWZngIIHUAx0Aq8I3GPs3O6jaO4PletEz9ZfNyy5N1ZQJrWHQWjwxC73tk8EascU/Bkb+P5NSgO82I1NuB5tAI8YTopiKKaJB7RLtnaUnfA1GIZJ9csIRDk1q76O8SXDvACn7D5DWWYs4MM7dbm8qr4N3VMDw1djK2ba4ujGOcgtax/CHjC6O+0y+juJVR95nHnTkMxCFW77OIxZUJCJZ7ToXKNG9zXrJ3OyzSVeVzohRCBCDVYXg2anIB3hMaRxfcE6wfMukHGeefZR2etrktMCKy5WZ1JV5QZMHQ9RDp7YzwqOZ4HY8eT4xO2RTzkvMkP8G8kHk9aCFQjyjuQELcKT/MGHxjdfk2WZD+qmOv1jzwtGvl9NQQBCkjgj2vpWh+Kndq22mjABkodyJK4jEp0PrZiYD1ZNMRuuJ4eR6A9NYSWniVqJIxqpsGt3vzBg2CR7QZtHry9gnKE4z0eQbI7i7XDZ2Q2llIHpaY+KwKUZzo61+y/Su73XGJtWJysVkuFEv12utYIZh4r+TpCNqnp3ZHy4eHZMg1Ay2PANG8C/xgFaF7nSfzXze06aZMXOG9Sy7GL01hvKH8zdlyKz7bONDZgFMb7L9ClX8FDGz2szOLaQpGhcwEgQVnemybWr+Y1lajfj+SdCMKtt51wcGVxFCyB0rOc6zK3y4f0VTNxQCE2bmbSVWvmhb2gfhMUCifbktldsQ2Iq4i7XnDWK1UHhsV92Si2qcNyfhHWMsQEkp5YJRHkDHUEHZxXotZCztpjZ1uU2OwPZGUBntfCRgBMtOB1pBuf6p/Axm3YNNgxmt2F/HPDPgwNSaUL0kgmpNkzcEO1PTL107DS9GBD0gAVrCj0uKw/qmzfUwa26174YK37Nhy9uSy2ThWGJcM1i+nH6PDVYK2yFyZn6uzuj6lPRCqC04TMzksJ3cG+MeQauoIbZ6O6ER7MWcuGgwlwZy8wQjVD9+sh81VTD2U0dQe6Lfgi0jrZmSRMA9smzfNXGpYglVq9w4Qgx4EOifYw/GOjU9VXlpSXtOsrYsvyOMjEA64J1NoNL5CDm1oj9y+msIavPAwRH446Ss1VF6wHWM945qVqSzq0eQD4oMKBM8SAt3C+StJy4qomPJ5plEogMvaVDI5500ab4EhbpyW1Fg7lwEMuWyPFz6lvTJVfkG68DplTzkvgy/1CEfD0KIHoAhUpjS7qdx4hh7Oo8KF58j8Mb3i2ZZY19VFFWo/FXYlf1liogoEmVs5qJ5V/Q5kTwehM8lKxdbj5tcfGDDXL1UGr7jJIvR1zns3loFkYPPGmlWnIXUuud+2rjK/uNOnYOJnzHN491h0PHWnEWwWh/qCQKuvYzxwaZUza1rUU/aHn9TV2RcMe2b3m2ld5qZJ400kVoC5rKGSI1RBBsRFHbtJFfRk9DUEyckjnJlQ92n6gSyAL5SghmJPiDIIXaWvqrPDX/SB4rU/TPBp+6s5KG0yDhnMFtfMeceuY7ScwgDzfrynfmMaGkcKDTFSnENIB6CZK8NXDhEnUbIEuYapJy+HSdM3c84JC+16RMwKaIHqrGIUEogC6Me9ZAQxE2qmptbz9wtDiGZAVKnwntucdbJjK0b8hcROA3XtMZcLtoKkzaKt+G0/a4XHDzBShaKb5+xiaZ71up8rqI261NtA/jCFClv7b/RBT7Uoru1nS6G8TYxiohJq3bz7NrsjNFlRyewRqQFa/xkHr3VXrX7CVghaL6yUUuD9W1XzRaIYYdIMwgxHF48DMWlKejtf11Z5wT8cgAAdkgyxW3hQPw3hB8rJmfGFKgds9mRPjYESQB9NHcBSnl6HN4Bp0zwyrYuqFRiwdrkLfbgcuDVXj6pZ2Uo93wC3gr1TiB+hVowqSHCue7Kv3l4l+DPE+ugidYzZSBNCCGTQDi7aC+UdP7vbMrqi67nFY7QicCEA7splu/vqUQBEs/blOVHC4rN0VcpX5fuNDv/8PWtXxEWoCesE8/ryM7+zUbRsH3GgP+uREp8Kj/AsKL5Hi4GbvSYpvpMxEC8YbVSVSQoU6j4Gd16KU76QbsVqGXi8Er/8E3ZmOKFU09jXTRroAHjrpQrO1brfURth1jq2inbGSIJBg/FHYuIPccyA8uXYNZGqms4Pr9/P/h7u6b/xjsQDEYHyMCttAcJ4FAeV+Al2vdXYZaj0afcYDETzZ0nAXItbb98aDy4BzsvI96zRld2HGmCjk9E3nEONaoBcLeK40oMShrhRo0mPTUcX8Bl6kO+tdYoE5UZv9NZF9XM43AV12hFkO1IXmtnCXHSEIYkvdfLSGojf/eL8wHpebwSVfP/up0399diuuSRq7Zlee0l2f/lHMpeUGGkfVYXO8Umgun8IuJ3c8s5t0IWuEMpzASMxgIQaSWtXhkcptyvU3LLy8D/23L7gi5SQzVoAsKqOr4Ico1+55zuGbTF6Ot1oUll+bpEl4FC0Nl/fYNes+3++kL3987ierZfKA575Cmy33TZY37yN6FwksA/G+tqDBNMDEwDQYJYIZIAWUDBAIBBQAEIJ83ToN4PQQLCwlD5Oa5oetW2tE/RuZipPR7FGsRUJubBBQg2misNH+6zecm0OVXgOw+/ycxUwICJxA=
http.p12: MIIPEAIBAzCCDroGCSqGSIb3DQEHAaCCDqsEgg6nMIIOozCCBaoGCSqGSIb3DQEHAaCCBZsEggWXMIIFkzCCBY8GCyqGSIb3DQEMCgECoIIFQDCCBTwwZgYJKoZIhvcNAQUNMFkwOAYJKoZIhvcNAQUMMCsEFI/F5veXw/Q8c7leJEj7s2CbpiOBAgInEAIBIDAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQopAz+Tp7yIH93HxSOFV2VASCBND/8Yzh6B2XECZMP/MqjTO3XdminipAdQd0x85gb2fdydhtKh2AJt3m73+H2WTe/vhUiI0egefASl4Eairj8p9i40Hk9rZPCnk3Jp2NpQMow62katZEqWfrOf86fTKqWXUKGM+ITkTjINaYObIF2SsO6y5CP5zb23bBR65HKgjpEa1QtvVclOXwM1DgOUvqHSii+5P1Ua3OeeTfps/p/r5FUsD0cbuTpbTnRi87Mjk+5HiRsOUNi020ditIiG3ngBaAlUloRe6x/UAL9bIiwpPD8kJNUKkzee4I177uWRsY1jmtJG4WyCbiIRXVN38JmPdSWhDkt65W+7mzchhgUiz0mnUm1iXl0fMZdKanQK1k9P80ZnMXJUjMcHuu2akx7wQ8RkntnEDCSVVvuYPMj81LsuWETeZHGoJbGu/4M+t82ux8SBApPIS724xFDc2tNW6XXdo5LdCwK63FK3tLXtEaZYO/i7hzE0xLhsOBGIJewycflGWXBYaQ/YiqL4Qm5uh0DXHkUAdgQyK6DT6AJ322MIJyDPrUmlflxT6qnLvjl79Tw5WiCwKcQPuCd3W3K0PujeSCO1g/N5usoyU8khdgTbjZBoMbwQd17eBlfoQ63d557M2eWZ702BHzDPXOZEQ5w3proJGWup8JLWzOzLsvPANxbhJMeg2whzDqIiGbP355k2DkSmgrq9IgyyxQi7+2t5/juUtdrn17f1fsGQEtXjIH2ywAbn8qUpS4vl7lMX05epuSrBXfnQ82DzmG3Ogzo08ABi5HgiNxGFWvFoZwUjlearGQRrhknEz25NgK1KG6iMY07/HNgYKcwkW6DjcP3sr2yFrGpZkd+/yZyj2E+FGJRQ6kwtdNXUO7k0+SIIqivTqBca02hUVTa8OcLkK6hnqZ/FR0mQELWzKkxhMqXxAunlkEhgz1wrnDe9DQSBYGpjczpe7+l5Dp2LEMQqaS8h5KdKAT4phBnDdmd5ecZ3WRTNJ+2gHv2dExmPPPv+jhguGLNKLfpccZJeJPNx/ghhUIrLAkFWOxibxuVNg5WHGTiS4AF4cmQYq0zMBUIls5K0++TJg3jon0uF+kjx1Na9UMDrUn2rTB9eAdKfi30zjxPZP01D29MiYB7PVCxsOx6fPluAOyzcKeWMxuis2rCO2LBWRkofvVR7puFyLfMoffy0sLnCXCz1WSyzC6L8CMCMkcUcZIUDLsYE6O5w+LZcHdFJuFLc0cLIwFmsBh69vVHoBhVpQK9zYj7htLwnz0KxC9jJxi9WOJS4fubSYhR/luAqcRwABECLlnn95CDtu5LEXAlC/yGq46/dD1DVEF+Jy2+HNX6r31ZBIPnzZ50qdPqP4Qw/oNtVaYYE6IjVSGnoWLFWutS7XLm8c03+YnVjMv48t9LiINUvuNsSc6bTUZH1gkoYLx/juTQkZwXcniOMeZVa+P7ifetN2qNMoJVqn+x9bGrl+NLBk9elk00G0cfvupJeII2hfKV0P7ttM4SIftPcLCFqs4xvxdZKINoXqCXIxWha87cm3iD6g6jpuYNao5R3DkMkPlQBs8S8fdAPDlLXsgwH1ufCf5kuQrwgYTSD8N5Fj9Twc7pJMSjsnGwcetjnLP3yPICM0uH9Ibh1GFadqQrsU+76HrgTE8MBcGCSqGSIb3DQEJFDEKHggAaAB0AHQAcDAhBgkqhkiG9w0BCRUxFAQSVGltZSAxNzQyMzcwOTcyODgwMIII8QYJKoZIhvcNAQcGoIII4jCCCN4CAQAwggjXBgkqhkiG9w0BBwEwZgYJKoZIhvcNAQUNMFkwOAYJKoZIhvcNAQUMMCsEFDVdGCe8Gq1E/Wsl9D0DgpiudX9dAgInEAIBIDAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQNE6PlpysYPlMxEfPwyiuxoCCCGA6MxRXhgsJfmzbZWCb8rrJBSLB7lbIzIvPTnquWyFYEsWL9FvDnQypi1yUmidtLI4dDs19xq7mBvO1az15vhU8fJN98pE4R03jKvgNjs6rx+JUYv9RivV5oiYzoYbzXhggPFbeRlRjJsDCE9nFqRQMuDK7c47KPXCPJbG61kF5PfLJnoJ6S1OtObFfdIJRqWvwCTJMohIoDaxdNlZ8IkN/8boS3Ip44GpqvnzUYGkHdYpn5Fb8FwrI67oHbfz7/PeMTiH/JFKUlwpMW8zhWRrNtTglv7Hb1CW6BCauThORcPM+LQnZAECdPo3ybzVH5bwqD5xctEUDkVTxg/JQAntmV1GakD5P4NpUDDStxNX6v1rjAEk/kPTu+jVaAqFktDJzA9CRz8YBj9/2m5yCOH1iRCeq4M1ccTaqqzg02SrjKXCbUkFIkmCaO9G6vabckp3iPVTc47j5AlAqkVMZkYM0eOaXT8WTcj8/+7oPRDqvyMpF+IpmU3goXySe6zhxInxZAEvsUhYKWrbOAlA3PZKjLOXsMbn2eSY6KwQmzG8DsR+OlAsaV2JQQDK1Fe6c/YAPHKnB6Z4ZVxYfBSQGfSGNFSlc1/HQHADmV6UCYwNvJ+/IUOeu36AS9bdFOUzAMyKrRGWxG4juvKn5e60FhUMrup5+2FrVKMQI+BwWAtTOssICZWTWIrN2Ag9gvF2d9tBTiG89XwcgcQ4fHYrcqplHuJl602QQn9qii74Mjm1qGOg/WfUmsGfgib1diW7D6SjxshJixImmvca7gUhEYx7eMpXx4NQYyKin+HDYZTdcmkrG5wWfXG6DuI5sZujR90Cl2EEIwyJ8i+Bs3J9MNELvKkLlZW4txIJ1mhwSOS3aFrQFB64LwGPYp3sdhTba88u8Bd62f0HL+hBzzdywDw1cV4TPiLwhiT22+DvjfqDERXd8ao+18VAB7VhtKi1syTL+9YXgA2GTxCsvvWpH3V7Hh0O+syJe5Uzc0+NgPwVZsV8GTc9Twy8eary6orCnJ9pheWN3Kt9t6wOIS29QJ+X8jFAT0LnhWK5Vd1GLBsLcDaFTVi1Og60SUWcgQXDXm0LswbaF3n+RFLTNV+RduW7Eqplws60QmRZPwqDbAzo8ST4+7FK6WZqauSGRjMU5Defw8s0/84nru3a37sQqenIHjaO57oZ1aX5KzXd8vgcKR7rklt1eHL/dr2p22hzcCFT8vJ8BkD+cNyRLRR+Ci9yoFWecGYLPOWDzbrZGPB6ipI2OeFaCTnJc2YgPOva/pvp44r+mxte511oQgmF+dFwY0N2zrHnFULb0VN0oh7N3X/cMpj61mghb+zz7A9uAt/EL1m2NyN9NJpJD/pjp8X/eiLwlHuRzxkGMZAcUPRpnplbuUocbuoO1vSAZ11P0P1MDAWJWuSfICgrn81uWBX5VXCMsxiSI+pmzdenq9lqnkjfHF1t1C3n+6jASDCtoulVIS13/ESPk1od/cOqhWvq7K5O19+1JHXBEYnoQ6a9E19sbO85Z0O3cnGEGqNK1l7Vb1pN44pqTor/ITbQZNPBwP835aAEbM8dWCuJAeFcP9AAjrcWrnbgmpaDSUQrrx1JCVo0HmcJoN57G9oKtcU9uOpZ+V1OdPoVoO3qswVq0hWNJN4rIRqibuL3YS41rn8R1006ii/SLmMnJYoRmXr7lUirdlrKuRSLBVzdToz1u7YC5Z7fjx2b24GF3TelFufUh++VI71KeaRqRoCeIKbQRpW8QOC2mdRZGYSYZ0IQNrkQ2edmF2tdrTzbtlQxzxVIA6+rC3+gg/77CG+U80k7MIz2DY42ZaMWeDkcePrcfMJInfANHntyfQUl3+NzJW5qr4mNAe0JoIVU3hSvKEJPntu0i5n43VeMnIVHzk20f8HnXKhHpiJnYBRXJwPJeT1QrVEc5o9jS822NNb8VkoG64oQFPJXT6uBpx/21ueVLK+bl+ZmRbl4YaeLXl3KGqwjaforbZR0evoPVRqNvKmCq/I6KOVk6LLa1fpLvwYQ92VTwGJJI7k5JlqLhs1q7ATYXbCOs0U8VRvHVg/BC2Tiuy7vsIL07zXocyAOMdZ506JhchpAjmFbcYMsS+t09UZF0/pf4QKOhmxiXO8Ox9UyFMx/4G80BDfT+n+rRaRcPQELjNQekiYcVHP6vxcHgsif/qpppAB9uLFwZAPGfYhnoZVCImjVwk2iJgpvY36WjvddaVfLV/neE88ZIgIzjSD12yFdWtOfBGFAkKrPjoYP+PcFa+gNT32tvr58T9T+UgEcsl11d13YjkcS4oriyei/++GHxxlPaV1yavAih52osAE+RxvJyovgZM+K0nyUUKm2M7w41lzcdamuzG2CyZYpM8WugxrfWBJEcYHFJRpHtbYO/BUBcB8rehSXJYepHEWjWYfu0S+auOZDojzHxbwk0csv7X2e4mjhvkWgl982+9A2cflFTlgxS7JEl1IK5J5iMdXZW+xVa9X/TeCCIfZaE8sQ5Z1CUZqRO0tF1spMJd1Rom8ItgZSNp/sPWrDF/AYmDQ7tKCarHQtTQy+WDcjJir7j8uDs3+7TZ4dwytf6Ypmt4Bly6IXu9azpWFGJZ2oxdNibCVczXUzgD+8a0iPsEyaJeHdMBsY6TXVlBeVNoywRGRi5kht+NL92pQudfjOf+Osqzahpi3ipSBFiFpDm8Cks8bE6a2OrsaXMsJg3MmA0nICLa9Ej1kZQYi9aIYWOZcqqjlpormdsjdkGRxSdYEuR5fWhL/gkRTaEw2yuzAE4R3T40P69YIDloxW+PvWK4CaPByceOisggU6CpQZYMRpTjO6zvwAFDC+xa04fk8ZyY3es87/a//2Jt32WhjBNMDEwDQYJYIZIAWUDBAIBBQAEIPfMo3QukI8Wl0boi8K8/TbUaSfA+3q0/PqEkYCnBrUNBBR7TPQyHEp2QQOpgSzBoumz2bzM6wICJxA=
# elastic-certificates.p12的内容通过 cat elastic-certificates.p12 | base64 -w 0 获得
# http.p12的内容通过 cat http.p12 | base64 -w 0 获得
# elastic-certificates.p12 和 http.p12 通过文章末尾制作证书生成
- 创建statefulset-es.yaml
apiVersion: v1
kind: Service
metadata:
name: elasticsearch
namespace: default
labels:
app: elasticsearch
spec:
selector:
app: elasticsearch
clusterIP: None
ports:
- port: 9200
name: db
- port: 9300
name: inter
---
apiVersion: v1
kind: Service
metadata:
name: es-nodeport
namespace: default
labels:
app: elasticsearch
spec:
selector:
app: elasticsearch
type: NodePort
ports:
- port: 9200
name: db
nodePort: 30092
- port: 9300
name: inter
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: elasticsearch
namespace: default
labels:
app: elasticsearch
spec:
podManagementPolicy: Parallel
serviceName: elasticsearch
replicas: 3
selector:
matchLabels:
app: elasticsearch
template:
metadata:
labels:
app: elasticsearch
spec:
nodeSelector:
elasticsearch: welles
containers:
- name: elasticsearch
image: ccr.ccs.tencentyun.com/zoehuawang/elasticsearch:8.14.1
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
resources:
limits:
cpu: 2
memory: 4Gi
requests:
cpu: 0.5
memory: 500Mi
env:
- name: network.host
valueFrom:
configMapKeyRef:
name: configmap-es
key: network.host
- name: node.name
valueFrom:
fieldRef:
fieldPath: metadata.name
ports:
- name: db
containerPort: 9200
protocol: TCP
- name: inter
containerPort: 9300
protocol: TCP
volumeMounts:
- name: es-data
mountPath: /usr/share/elasticsearch/data
subPath: es-data
- name: es-data
mountPath: /usr/share/elasticsearch/logs
subPath: es-logs
- name: es-data
mountPath: /usr/share/elasticsearch/.cache
subPath: es-cache
- name: es-data
mountPath: /usr/share/elasticsearch/plugins
subPath: es-plugins
- name: es-cert-file
mountPath: /usr/share/elasticsearch/config/local-certs
- name: es-config
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml
- name: host-time
mountPath: /etc/localtime
readOnly: true
volumes:
- name: es-config
configMap:
name: configmap-es
defaultMode: 493
- name: es-cert-file
secret:
secretName: es-certificates
- name: host-time
hostPath:
path: /etc/localtime
type: ""
volumeClaimTemplates:
- metadata:
name: es-data
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: 10Gi
storageClassName: elasticsearch-storage
- 宿主机节点创建目录,打标签,然后启动
- 初始化超级用户密码:
kubectl exec -it elasticsearch-0 -- bash
echo y | ./bin/elasticsearch-reset-password -u elastic --url https://elasticsearch.default.svc.cluster.local:9200
- 浏览器输入:https://nodeip:30092/_cat/node?v 检查elasticsearch集群是否正常
- 浏览器输入:https://nodeip:30092/_cluster/state/master_node,nodes?pretty 检查elasticsearch集群详情
- 创建新用户密码(kibana和logstash需要)
kubectl exec -it elasticsearch-0 -- bash
curl -X POST -k -u elastic:$(echo y | /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic --url https://elasticsearch:9200 | grep "New value" | awk '{print $NF}') "https://elasticsearch:9200/_security/user/用户名" -H 'Content-Type: application/json' -d'{"password":"用户密码","roles":["superuser","kibana_system"]}'
二、kibana(一个pod实例)
- 创建certificates-kibana.yaml文件
apiVersion: v1
kind: Secret
metadata:
name: kibana-certificates
namespace: default
data:
elasticsearch-ca.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lVVTRPaHFyUEFUK1BOTmh5ZUJKdC9NTit5ZnF3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd05ERXlNREFHQTFVRUF4TXBSV3hoYzNScFl5QkRaWEowYVdacFkyRjBaU0JVYjI5c0lFRjFkRzluWlc1bApjbUYwWldRZ1EwRXdIaGNOTWpVd016RTVNRGMxTXpFNFdoY05Namd3TXpFNE1EYzFNekU0V2pBME1USXdNQVlEClZRUURFeWxGYkdGemRHbGpJRU5sY25ScFptbGpZWFJsSUZSdmIyd2dRWFYwYjJkbGJtVnlZWFJsWkNCRFFUQ0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMYjM4bksycFNFRkJHSVYySTJlSTFkOAowbmR6NkVVRzhQeGJ6cmpzbStYZENycENxdkh3R0NKekhCeDVTc1VZQ1UyZW9UOXA3YjFIK0RjK0E5TG9wZWdHCjE2WXZYcDlPYmRUMi9ueGJPUHlxaG1wdUd0akp6aFIxSFM4V1g4NThPcm5vKzdtdzYxVXdrYkgyQkRLMGFBd20KOE1qRi9zM21OZVpTNktSclBQb2lKVnoyUk1mMVc5WTVmc08zV0VQNVFEUkhxSldZc2k1M0s0dzcvczlhRGJERwp5MzZSYnlqZFdkWkdpZm5wVVg4djFIRnNSTGRoTnRmc3QwYWZkN2JqeDIyQlU4MXBxUlRlTHZHNlowTDJiaDhlCldhcjRuMzRhTktXSGxienZ6U2RUM1RraTJtYUxhS0tmWHJXcS80Mk1telQvc0hBWXVxUmRTL2l4eVdZMG9zOEMKQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRlBxSXlvenFaRFpNZVgrd3g2YnhWcmVHeFZnbU1COEdBMVVkSXdRWQpNQmFBRlBxSXlvenFaRFpNZVgrd3g2YnhWcmVHeFZnbU1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBR29wL3B6UGNYWnBKZEhjRGFNaDhEV054cDdaU0tOdnJSbnpKS0hwb1VVWTdhZHMKcDZUam9oVHhoaC9POG9EQ0h6TGZVZk1tblVKYmVNTEFhR3pYR092cTd0ZUlRa1d5cy9PQjVpTzVaZGRIVzRiUgoybWFNZXllNU13ZzhaZnc3ZkhHUTV5K1MvWExBMXkrbk82TThpbUlIZG04U2lwM3ZtTFNFR1NTY3FsL1ppWE43CkNySXFmT2ZHYWxtR1VPM2lpUmtWTTEvT09kbmhjZ3ZvYk5Iak53ODZ0dDdEWm9zOS9NVTNIZmRHYzZ3OWpjbHcKUnc1K0RLcldoU3VEUFhkRmJHZ3Nrc0RMc3F3WGxPRWRQQ3BMbzVydmc4MGREMHpoVEtLbERFVUFsa3J2MC95VgpIbmhTdndGU0tHUi90WjYyNTJnTm02c0kvVFBFOFR5RUJVdjNGSHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
kibana.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxVENDQVpFQ0ZEL2N6elc3a1ZaS3lGOEpBUXVsZkhBRW1COFVNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1CRXgKRHpBTkJnTlZCQU1UQm10cFltRnVZVEFlRncweU5UQXpNVGt3TnpVNE16ZGFGdzB5TlRBME1UZ3dOelU0TXpkYQpNQkV4RHpBTkJnTlZCQU1UQm10cFltRnVZVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBS2NSZUJhOVhrVldaZ1Z6dUcrQjYvM1pQVDlUTGZpaUZpeFllMU9ZTW5MMDZNNzdXaHdQZHowQ280eDAKK1Q3SjFGS0pYWGxPS0ZQUm5EZHVZc1FESHl3c1RXSUJQQVcreXd4anB5SWNnRldVMncxV3JSZDhjaDZYQkdDRgpMTmZ1UnZ5a0NEL0dYUlBWVTlPT0NJTFJacHJVZmdqTHo1TDdzQVpleHFReHlYR0FWQ1BjUC9abUgzY2J3THVkCnA0ODZPdXR4QldwY2hSK05SYWk3cllVRUVNaHVON2x0UFZkYlZ4Vy9FY3RKZmpQa2s3Q0s5U09TQ2R0bms4Tm0KWDc0c1hNdnphclh1dnJtSGw5OWRlVTF3aDBZYWVUMkFmYlk0L2F6V21ST0grWHJSeVdMaUN2QVArUFFlMUlxVApsL3htdjRtVFZhM09jMmpNaHVzMGgreVd4bmNDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFObnRJCjB5MEhqcFdTV1g5NTJkUlBCZlBaRThiSTZ4UTdHSTNmRDFiOGR2YkpCT2IvNjdGNldqazExTGR6T2dvVG5rNlgKVU5oejEyNnBPMEI0RE9uRGdMUU5RL1ZBMmhaME0wT09NWGF6Tmw4ejk3QzZSS2RVeTF2endtUmdZSUwwcFZtaworNnZtME1LeUtVSG1xTlVUbHA5MUFVVGlWWGhzbi9Obkd4bEEvRUVTL01wWG9XK3FLYzgvTFdxNG5yaC9RZ3NnClRPbHZoZGJOeHM2SHBOejVrZHFGOTdnU1pVRFhUTlJjVEdnd29KYXBYUEtsTklRMDZoOGtQQmJ4R1lXUlJxTlAKN2doUDNCU3VLbTc3ZWI3SXNHR2xoLzVvRndkcWU0QjJiWXcxb0RINEFIZnVzNGsveklzK0dRVWVtUFRjU3l6NAp0d3VzOGJvamtVWEw4VGg4bHc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
kibana.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBcHhGNEZyMWVSVlptQlhPNGI0SHIvZGs5UDFNdCtLSVdMRmg3VTVneWN2VG96dnRhCkhBOTNQUUtqakhUNVBzblVVb2xkZVU0b1U5R2NOMjVpeEFNZkxDeE5ZZ0U4QmI3TERHT25JaHlBVlpUYkRWYXQKRjN4eUhwY0VZSVVzMSs1Ry9LUUlQOFpkRTlWVDA0NElndEZtbXRSK0NNdlBrdnV3Qmw3R3BESEpjWUJVSTl3Lwo5bVlmZHh2QXU1Mm5qem82NjNFRmFseUZINDFGcUx1dGhRUVF5RzQzdVcwOVYxdFhGYjhSeTBsK00rU1RzSXIxCkk1SUoyMmVUdzJaZnZpeGN5L05xdGU2K3VZZVgzMTE1VFhDSFJocDVQWUI5dGpqOXJOYVpFNGY1ZXRISll1SUsKOEEvNDlCN1VpcE9YL0dhL2laTlZyYzV6YU15RzZ6U0g3SmJHZHdJREFRQUJBb0lCQUVOV3c3Z3FzT1l5dW1GbApNTWhsTGlrOTJEVi9nZTZPNm5BS1kvOGdQK2xjOUwrRXlWKzVEaDhkd3EwWTh1T1BkMUNqUkhWaC90ZzJDd2krCnFmbUdwcGhuN1BMZE80TzNVT0ZZQTJRNDU3TlhFZW53NzBpaHBOL1dqL0dWakNzbXhCOE53TE52OFZGT3NZQjYKWmN6UXVWSWI1d2NGbTArTHVmbi9Wb0tVL0xTTjFLeDVjVzF5Snl3dkdlOGRIS1hhd1BmRzdPclYreVRvUnRaNgpndlFRcUVpc2Q1TXZpUDdXMkpsdzVlYkJsMnhQUXYwRElkNVdnYWNPUEVaNzN5ZWpyTVZmdzZlNTl5bFRDNERpCittSzVMVkJCL3J0clp6UGVQcktZN1ptVTNxZEJVNFRWc01ZaUVQRmd5RjNkd1F0MytvN1Fsd0pnUVd2M1VRRDkKK0NUejBxRUNnWUVBdHo4NWl6QkhrbVZ2UGNYYTFhSi9yaGRzQnlTWElqdWxleE5aUzhGaFp4TytTeW5VZjFNcApWczBocy9OS0RYbmtENG40UHhGTm1PR2NreHJSY3pMaXZSTmRBek5HdEJzak53b0VrUTNobFFTNzNhWGRYdC96CjVobnFuVE45d00zRjNPY2tsOEdWcWVVYkhVVXkvRnhNbmhWT2UxN2xBMUM0YXp3VExWK1FxQ0VDZ1lFQTZXWGcKbWJlSWZyYUdWT1V3UUZ5dHNRWmJaMWFJZU5GZkl4ZHRucDF3NVJKR0FYTHhmUWNqWGl6QjFPQVpqQUlyMHRzUwpid29XMEpxV1FTdld5TnNZMEl6U1JGL3ViMmU4Y3cyOGRvMldUVGZrc2trSTVhZmpUN0FkbGpmbi9WRFBYWG91CnZDN04wVjQrVHBnVHBUM282STNIb2ltQ3VnK0RsUmF2ekxjRU81Y0NnWUJjYTBHOVpsc2loWkFHS3F5RXhKRDYKbjR0M1NzZ0NsdXlOMXlOWkpxM1dTOG5VcE1Nc2VDZklSR3IwRkFiTUp5YVRnN1UxTWFmZUxDTkl1ZVRhNGRZagpJQW53SEVOVGdNQlErUGQycFBhWnJxcUZUaXNJdDVDT0E1SWxPSnY2eW8wNUxVWnlWMHNCUmJCWUlkZG1HYkwyCm82NVNZSGpHSkVidXBuelJqSG9yb1FLQmdRRGtKUi9kWXBoY05KTXUzVEhEV0ZTNG5Gd3dzVmVKc2kvckgzV1oKL0pCa2V1NVBjRW82U3dYNWdvcWVTY2p2SVJneGJzK2dGeDZpSHRvTkxvc3ZuMnVzUUZzeFZ3eTlmWXVxYzV6cgp6ZzlEd0FVZmVXRG5ES3VZTTdGWUs2SHI3bGdsS2RBUlJ6Y05GN0NVSnZmZEtKMUk1WDVsTjJwLzhiWlB2L05zCml1SHFWUUtCZ1FDSDI4T2JMMEtmWHYrVzhSaWgrR3JFWGJGdkJJSmpTSGRrRmpqVlNySEFUZFpZcU94RzMzVE8KUDJFOHp1NGVnVTJBelBHMGJ0NFhUVWo1alBXbFoybEh0bHg4SHovME5tSUFselBrczBHYmt1ZU5TaEcwVHlWeAp6ZGJCTklmWUgwSzR0MVJsRG1OMkdvc2hXYmgxTG45TEJkRm9NQnBVV3NPdHpyb0N4Ly9MeXc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
type: Opaque
# elasticsearch-ca.pem的内容通过 cat elasticsearch-ca.pem | base64 -w 0 获得
# kibana.crt的内容通过 cat kibana.crt | base64 -w 0 获得
# kibana.key的内容通过 cat kibana.key | base64 -w 0 获得
# kibana.key、kibana.crt 和 elasticsearch-ca.pem 通过文章末尾制作证书生成
- 创建configmap-kibana.yaml文件
apiVersion: v1
kind: ConfigMap
metadata:
name: configmap-kibana
namespace: default
data:
kibana.yml: |
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: [ "https://elasticsearch-0.elasticsearch.default.svc.cluster.local:9200","https://elasticsearch-1.elasticsearch.default.svc.cluster.local:9200","https://elasticsearch-2.elasticsearch.default.svc.cluster.local:9200" ]
elasticsearch.ssl.verificationMode: "full"
elasticsearch.ssl.certificateAuthorities: [ "/config/local-certs/elasticsearch-ca.pem" ]
server.ssl.enabled: true
server.ssl.certificate: /config/local-certs/kibana.crt
server.ssl.key: /config/local-certs/kibana.key
elasticsearch.username: "用户名"
elasticsearch.password: "用户密码"
path.data: /usr/share/kibana/data
pid.file: /usr/share/kibana/kibana.pid
logging.root.level: "error"
i18n.locale: "zh-CN"
- 创建deployment-kibana.yaml文件
apiVersion: v1
kind: Service
metadata:
name: kibana
namespace: default
labels:
app: kibana
spec:
selector:
app: kibana
type: NodePort
ports:
- port: 5601
name: kibana-ui
nodePort: 30561
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kibana
namespace: default
labels:
app: kibana
spec:
replicas: 1
selector:
matchLabels:
app: kibana
template:
metadata:
labels:
app: kibana
spec:
restartPolicy: Always
securityContext:
runAsUser: 0
nodeSelector:
feature: app
containers:
- name: kibana
image: ccr.ccs.tencentyun.com/zoehuawang/kibana:8.14.1
imagePullPolicy: IfNotPresent
resources:
requests:
memory: "500Mi"
cpu: "1000m"
limits:
memory: "2Gi"
cpu: "2000m"
ports:
- containerPort: 5601
protocol: TCP
command: ["/bin/sh","-c"]
args:
- |
cat /config/kibana.yml > /usr/share/kibana/config/kibana.yml;
su - kibana -c "/usr/share/kibana/bin/kibana";
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
volumeMounts:
- name: kibana-config
mountPath: /config
- name: kibana-cert-file
mountPath: /config/local-certs
- name: host-time
mountPath: /etc/localtime
readOnly: true
volumes:
- name: kibana-config
configMap:
name: configmap-kibana
defaultMode: 420
- name: kibana-cert-file
secret:
secretName: kibana-certificates
- name: host-time
hostPath:
path: /etc/localtime
type: ""
三、logstash(三个pod实例)
- 创建certificates-logstash.yaml文件
apiVersion: v1
kind: Secret
metadata:
name: logstash-certificates
namespace: default
data:
elasticsearch-ca.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTVENDQWpHZ0F3SUJBZ0lVVTRPaHFyUEFUK1BOTmh5ZUJKdC9NTit5ZnF3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd05ERXlNREFHQTFVRUF4TXBSV3hoYzNScFl5QkRaWEowYVdacFkyRjBaU0JVYjI5c0lFRjFkRzluWlc1bApjbUYwWldRZ1EwRXdIaGNOTWpVd016RTVNRGMxTXpFNFdoY05Namd3TXpFNE1EYzFNekU0V2pBME1USXdNQVlEClZRUURFeWxGYkdGemRHbGpJRU5sY25ScFptbGpZWFJsSUZSdmIyd2dRWFYwYjJkbGJtVnlZWFJsWkNCRFFUQ0MKQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMYjM4bksycFNFRkJHSVYySTJlSTFkOAowbmR6NkVVRzhQeGJ6cmpzbStYZENycENxdkh3R0NKekhCeDVTc1VZQ1UyZW9UOXA3YjFIK0RjK0E5TG9wZWdHCjE2WXZYcDlPYmRUMi9ueGJPUHlxaG1wdUd0akp6aFIxSFM4V1g4NThPcm5vKzdtdzYxVXdrYkgyQkRLMGFBd20KOE1qRi9zM21OZVpTNktSclBQb2lKVnoyUk1mMVc5WTVmc08zV0VQNVFEUkhxSldZc2k1M0s0dzcvczlhRGJERwp5MzZSYnlqZFdkWkdpZm5wVVg4djFIRnNSTGRoTnRmc3QwYWZkN2JqeDIyQlU4MXBxUlRlTHZHNlowTDJiaDhlCldhcjRuMzRhTktXSGxienZ6U2RUM1RraTJtYUxhS0tmWHJXcS80Mk1telQvc0hBWXVxUmRTL2l4eVdZMG9zOEMKQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRlBxSXlvenFaRFpNZVgrd3g2YnhWcmVHeFZnbU1COEdBMVVkSXdRWQpNQmFBRlBxSXlvenFaRFpNZVgrd3g2YnhWcmVHeFZnbU1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJCmh2Y05BUUVMQlFBRGdnRUJBR29wL3B6UGNYWnBKZEhjRGFNaDhEV054cDdaU0tOdnJSbnpKS0hwb1VVWTdhZHMKcDZUam9oVHhoaC9POG9EQ0h6TGZVZk1tblVKYmVNTEFhR3pYR092cTd0ZUlRa1d5cy9PQjVpTzVaZGRIVzRiUgoybWFNZXllNU13ZzhaZnc3ZkhHUTV5K1MvWExBMXkrbk82TThpbUlIZG04U2lwM3ZtTFNFR1NTY3FsL1ppWE43CkNySXFmT2ZHYWxtR1VPM2lpUmtWTTEvT09kbmhjZ3ZvYk5Iak53ODZ0dDdEWm9zOS9NVTNIZmRHYzZ3OWpjbHcKUnc1K0RLcldoU3VEUFhkRmJHZ3Nrc0RMc3F3WGxPRWRQQ3BMbzVydmc4MGREMHpoVEtLbERFVUFsa3J2MC95VgpIbmhTdndGU0tHUi90WjYyNTJnTm02c0kvVFBFOFR5RUJVdjNGSHc9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
type: Opaque
# elasticsearch-ca.pem的内容通过 cat elasticsearch-ca.pem | base64 -w 0 获得
# elasticsearch-ca.pem 通过文章末尾制作证书生成
- 创建configmap-logstash.yaml文件
apiVersion: v1
kind: ConfigMap
metadata:
name: configmap-logstash
namespace: default
labels:
app: logstash
data:
logstash.yml: |+
path.config: /usr/share/logstash/config/logstash.conf
logstash.conf: |+
input{
tcp {
port => 9601
codec => "json"
}
}
output {
elasticsearch {
hosts => ["https://elasticsearch-0.elasticsearch.default.svc.cluster.local:9200","https://elasticsearch-1.elasticsearch.default.svc.cluster.local:9200","https://elasticsearch-2.elasticsearch.default.svc.cluster.local:9200"]
ssl_enabled => true
ssl_verification_mode => "full"
ssl_certificate_authorities => "/config/local-certs/elasticsearch-ca.pem"
user => "用户名"
password => "用户密码"
index => "logstash-%{+YYYY.MM.dd}"
}
}
jvm.options: |+
-Xms2g
-Xmx2g
11-13:-XX:+UseConcMarkSweepGC
11-13:-XX:CMSInitiatingOccupancyFraction=75
11-13:-XX:+UseCMSInitiatingOccupancyOnly
-Djava.awt.headless=true
-Dfile.encoding=UTF-8
-Djruby.compile.invokedynamic=true
-XX:+HeapDumpOnOutOfMemoryError
-Djava.security.egd=file:/dev/urandom
-Dlog4j2.isThreadContextMapInheritable=true
-Dlogstash.jackson.stream-read-constraints.max-string-length=200000000
-Dlogstash.jackson.stream-read-constraints.max-number-length=10000
-Duser.timezone=Asia/Shanghai
- 创建deployment-logstash.yaml文件
apiVersion: v1
kind: Service
metadata:
name: logstash
namespace: default
labels:
app: logstash
spec:
selector:
app: logstash
type: NodePort
ports:
- port: 9601
name: logs
nodePort: 30961
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: logstash
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: logstash
template:
metadata:
labels:
app: logstash
spec:
securityContext:
runAsUser: 0
nodeSelector:
feature: app
containers:
- name: logstash
image: ccr.ccs.tencentyun.com/zoehuawang/logstash:8.14.1
imagePullPolicy: IfNotPresent
resources:
requests:
memory: "500Mi"
cpu: "500m"
limits:
memory: "2Gi"
cpu: "1000m"
ports:
- containerPort: 9601
protocol: TCP
name: logstash
command: ["/bin/sh","-c"]
args:
- |
cat /config/logstash.yml > /usr/share/logstash/config/logstash.yml;
cat /config/logstash.conf > /usr/share/logstash/config/logstash.conf;
cat /config/jvm.options > /usr/share/logstash/config/jvm.options;
/usr/local/bin/docker-entrypoint
env:
- name: LOG_LEVEL
value: "error"
- name: node.name
valueFrom:
fieldRef:
fieldPath: metadata.name
volumeMounts:
- name: logstash-config
mountPath: /config
- name: logstash-cert-file
mountPath: /config/local-certs
- name: host-time
mountPath: /etc/localtime
readOnly: true
volumes:
- name: logstash-config
configMap:
name: configmap-logstash
defaultMode: 420
- name: logstash-cert-file
secret:
secretName: logstash-certificates
- name: host-time
hostPath:
path: /etc/localtime
type: ""
- 证书如何制作?⬇️
#生成elastic集群所需的安全证书:
docker run -it -d --name es ccr.ccs.tencentyun.com/zoehuawang/elasticsearch:8.14.1
docker exec -it es bash
#生成CA证书:
./bin/elasticsearch-certutil ca
#使用CA证书生成 transport证书:
./bin/elasticsearch-certutil cert --ca /usr/share/elasticsearch/elastic-stack-ca.p12
#使用CA证书生成http证书:
./bin/elasticsearch-certutil http
#是否需要证书认证请求,选n
Generate a CSR? [y/N]n
#是否需要选择已存在得证书,选y
Use an existing CA? [y/N]y
#填入已存在ca证书路径
CA Path: /usr/share/elasticsearch/elastic-stack-ca.p12
#输入已存在证书密码,没有的话直接回车
Password for elastic-stack-ca.p12:
#证书有效时间
For how long should your certificate be valid? [5y] 10y
#是否每个节点都需要生成,选n,所有节点共用一个
Generate a certificate per node? [y/N]n
#输入集群所有节点主机名
#使用 Kubernetes 中 Pod 的 DNS 名称,可以避免 Pod IP 变化带来的问题。
#DNS 名称通常是 <pod-name>.<service-name>.<namespace>.svc.cluster.local形式
*.elasticsearch.default.svc.cluster.local
elasticsearch.default.svc.cluster.local
elasticsearch.default
elasticsearch
*.elasticsearch
#是否正确,选y
Is this correct [Y/n]y
#输入集群所有节点ip地址,由于上面使用的是DNS名称,所以不用再输入固定IP地址,直接回车
## Which IP addresses will be used to connect to your nodes?
#是否正确,选y
Is this correct [Y/n]y
#是否修改证书配置,选n
Do you wish to change any of these options? [y/N]n
#输入密码,不想设置密码直接回车。建议为空,省点麻烦,这么多证书认证已经够够的了
## What password do you want for your private key(s)?
#证书文件保存位置
Zip file written to /usr/share/elasticsearch/elasticsearch-ssl-http.zip
#解压缩刚生成得证书zip文件
#下面先生成kibana使用的安全证书 kibana.csr,kibana.key
/usr/share/elasticsearch/bin/elasticsearch-certutil csr -name kibana -dns *.elasticsearch.default.svc.cluster.local -dns elasticsearch.default.svc.cluster.local -dns elasticsearch.default -dns elasticsearch -dns *.elasticsearch
#执行后默认会生成 csr-bundle.zip
unzip csr-bundle.zip
#解压缩后得到kibana.csr ,kibana.key,用它2生成 kibana.crt
# 生成crt文件
cd kibana/
openssl x509 -req -in kibana.csr -signkey kibana.key -out kibana.crt