前言
在之前,我们增加ES权限验证,常用的方法就是添加HTTP密码,但是,对于使用来说不是很友好,X-pack好用,但是是收费的。不过,在ES6以后,X-pack陆续放开了一些功能,比如Monitor集群监控功能,ES6.8及以后版本ES又将部分安全性功能免费开放了,包含安全认证功能,之后版本又开放一些基础认证功能,本文就介绍使用x-pack来实现ES集群版本的认证。单机版ES不涉及证书等问题,直接安装即可。
准备镜像
本文把官方镜像打了个tag,当然也可以直接用官方镜像。
FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.6
ADD elastic-certificates.p12 /usr/share/elasticsearch/config/
RUN chown elasticsearch /usr/share/elasticsearch/config/elastic-certificates.p12
将镜像推到自己的镜像仓库:
$ docker tag docker.elastic.co/elasticsearch/elasticsearch:6.8.6 aresxin/elasticsearch:6.8.6
$ docker pull aresxin/elasticsearch:6.8.6
生成证书
生成集群证书elastic-certificates.p12。
es提供了生成证书的工具elasticsearch-certutil,需要在docker实例中生成它,然后复制出来,供集群使用。
$ docker run -dit --name=es aresxin/elasticsearch:6.8.6 /bin/bash
$ docker exec -it es /bin/bash
# 生成ca: elastic-stack-ca.p12,容器内操作
$ ./bin/elasticsearch-certutil ca
# 生成cert: elastic-certificates.p12
$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
ctrl+d退出容器内部,复制出证书:
$ docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 .
# 关闭这个容器
$ docker kill es
$ docker rm es
添加证书到 Kubernetes
将上面生成的elastic-certificates.p12中的信息分离出来,写入文件。
$ openssl pkcs12 -nodes -passin pass:'' -in elastic-certificates.p12 -out elastic-certificate.pem
添加证书到 Kubernetes:
# 添加证书
$ kubectl create secret -n $namespace generic elastic-certificates --from-file=elastic-certificates.p12
$ kubectl create secret -n $namespace generic elastic-certificate-pem --from-file=elastic-certificate.pem
# 设置集群用户名密码
$ kubectl create secret -n $namespace generic elastic-credentials
--from-literal=username=elastic --from-literal=password=$password
配置helm模板
ElasticSearch Master 安装的配置文件:
# 集群名称
clusterName: "es-01"
# 节点名称
nodeGroup: "master"
masterService: ""
# 设置role
roles:
master: "true"
ingest: "false"
data: "false"
replicas: 2
minimumMasterNodes: 2
esMajorVersion: "6"
# # ElasticSearch 6.8+ 默认安装了 x-pack 插件,部分功能免费
esConfig:
elasticsearch.yml: |
network.host: 0.0.0.0
cluster.name: "es-01"
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
# 环境变量配置,引入上面设置的用户名、密码 secret文件
extraEnvs:
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elastic-credentials
key: username
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-credentials
key: password
imagePullSecrets:
- name: xx
-
image: "aresxin/elasticsearch"
imageTag: "6.8.6"
imagePullPolicy: "Always"
esJavaOpts: "-Xmx1g -Xms1g"
resources:
requests:
cpu: "100m"
memory: "2Gi"
limits:
cpu: "1000m"
memory: "2Gi"
volumeClaimTemplate:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 50Gi
persistence:
enabled: true
# 设置协议,可配置为 http、https
protocol: http
httpPort: 9200
transportPort: 9300
ElasticSearch Data 安装的配置文件:
clusterName: "es-01"
nodeGroup: "data"
masterService: "es-01-master"
roles:
master: "false"
ingest: "true"
data: "true"
replicas: 2
minimumMasterNodes: 2
esMajorVersion: "6"
imagePullSecrets:
- name: xx
esConfig:
elasticsearch.yml: |
network.host: 0.0.0.0
cluster.name: "es-01"
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
extraEnvs:
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elastic-credentials
key: username
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-credentials
key: password
image: "aresxin/elasticsearch"
imageTag: "6.8.6"
imagePullPolicy: "Always"
esJavaOpts: "-Xmx1g -Xms1g"
resources:
requests:
cpu: "100m"
memory: "2Gi"
limits:
cpu: "1000m"
memory: "2Gi"
volumeClaimTemplate:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 1000Gi
persistence:
enabled: true
protocol: http
httpPort: 9200
transportPort: 9300
使用Helm安装ES
ElasticSearch 的 Helm Chart 模板是 ES 官方 Github 获取的,它的 Github 地址为 https://github.com/elastic/helm-charts。
# Helm 增加 Elastic 仓库
$ helm repo add elastic https://helm.elastic.co
# 安装 ElasticSearch Master 节点
$ helm install elasticsearch-master -f es-master.yaml --namespace $namespace --version 6.8.6 elastic/elasticsearch
# 安装 ElasticSearch Data 节点
$ helm install elasticsearch-data -f es-data.yaml --namespace $namespace --version 6.8.6 elastic/elasticsearch
# 查看资源
$ kubectl get pod -n $namespace
es-01-data-0 1/1 Running 0 1m
es-01-data-1 1/1 Running 0 1m
es-01-master-0 1/1 Running 0 1m
es-01-master-1 1/1 Running 0 1m
测试访问:
# curl xx:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}
# curl -u elastic:$password xx:9200
{
"name" : "es-01-data-1",
"cluster_name" : "es-01",
"cluster_uuid" : "8eNkuEcpSWa1tLGoSyN_Xg",
"version" : {
"number" : "6.8.6",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "3d9f765",
"build_date" : "2019-12-13T17:11:52.013738Z",
"build_snapshot" : false,
"lucene_version" : "7.7.2",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
至此,使用Helm部署带认证的ES集群完毕!