前言
在之前,我們增加ES權限驗證,常用的方法就是添加HTTP密碼,但是,對於使用來說不是很友好,X-pack好用,但是是收費的。不過,在ES6以后,X-pack陸續放開了一些功能,比如Monitor集群監控功能,ES6.8及以后版本ES又將部分安全性功能免費開放了,包含安全認證功能,之后版本又開放一些基礎認證功能,本文就介紹使用x-pack來實現ES集群版本的認證。單機版ES不涉及證書等問題,直接安裝即可。
准備鏡像
本文把官方鏡像打了個tag,當然也可以直接用官方鏡像。
FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.6
ADD elastic-certificates.p12 /usr/share/elasticsearch/config/
RUN chown elasticsearch /usr/share/elasticsearch/config/elastic-certificates.p12
將鏡像推到自己的鏡像倉庫:
$ docker tag docker.elastic.co/elasticsearch/elasticsearch:6.8.6 aresxin/elasticsearch:6.8.6
$ docker pull aresxin/elasticsearch:6.8.6
生成證書
生成集群證書elastic-certificates.p12。
es提供了生成證書的工具elasticsearch-certutil,需要在docker實例中生成它,然后復制出來,供集群使用。
$ docker run -dit --name=es aresxin/elasticsearch:6.8.6 /bin/bash
$ docker exec -it es /bin/bash
# 生成ca: elastic-stack-ca.p12,容器內操作
$ ./bin/elasticsearch-certutil ca
# 生成cert: elastic-certificates.p12
$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
ctrl+d退出容器內部,復制出證書:
$ docker cp es:/usr/share/elasticsearch/elastic-certificates.p12 .
# 關閉這個容器
$ docker kill es
$ docker rm es
添加證書到 Kubernetes
將上面生成的elastic-certificates.p12中的信息分離出來,寫入文件。
$ openssl pkcs12 -nodes -passin pass:'' -in elastic-certificates.p12 -out elastic-certificate.pem
添加證書到 Kubernetes:
# 添加證書
$ kubectl create secret -n $namespace generic elastic-certificates --from-file=elastic-certificates.p12
$ kubectl create secret -n $namespace generic elastic-certificate-pem --from-file=elastic-certificate.pem
# 設置集群用戶名密碼
$ kubectl create secret -n $namespace generic elastic-credentials \
--from-literal=username=elastic --from-literal=password=$password
配置helm模板
ElasticSearch Master 安裝的配置文件:
# 集群名稱
clusterName: "es-01"
# 節點名稱
nodeGroup: "master"
masterService: ""
# 設置role
roles:
master: "true"
ingest: "false"
data: "false"
replicas: 2
minimumMasterNodes: 2
esMajorVersion: "6"
# # ElasticSearch 6.8+ 默認安裝了 x-pack 插件,部分功能免費
esConfig:
elasticsearch.yml: |
network.host: 0.0.0.0
cluster.name: "es-01"
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
# 環境變量配置,引入上面設置的用戶名、密碼 secret文件
extraEnvs:
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elastic-credentials
key: username
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-credentials
key: password
imagePullSecrets:
- name: xx
-
image: "aresxin/elasticsearch"
imageTag: "6.8.6"
imagePullPolicy: "Always"
esJavaOpts: "-Xmx1g -Xms1g"
resources:
requests:
cpu: "100m"
memory: "2Gi"
limits:
cpu: "1000m"
memory: "2Gi"
volumeClaimTemplate:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 50Gi
persistence:
enabled: true
# 設置協議,可配置為 http、https
protocol: http
httpPort: 9200
transportPort: 9300
ElasticSearch Data 安裝的配置文件:
clusterName: "es-01"
nodeGroup: "data"
masterService: "es-01-master"
roles:
master: "false"
ingest: "true"
data: "true"
replicas: 2
minimumMasterNodes: 2
esMajorVersion: "6"
imagePullSecrets:
- name: xx
esConfig:
elasticsearch.yml: |
network.host: 0.0.0.0
cluster.name: "es-01"
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
extraEnvs:
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: elastic-credentials
key: username
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: elastic-credentials
key: password
image: "aresxin/elasticsearch"
imageTag: "6.8.6"
imagePullPolicy: "Always"
esJavaOpts: "-Xmx1g -Xms1g"
resources:
requests:
cpu: "100m"
memory: "2Gi"
limits:
cpu: "1000m"
memory: "2Gi"
volumeClaimTemplate:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: 1000Gi
persistence:
enabled: true
protocol: http
httpPort: 9200
transportPort: 9300
使用Helm安裝ES
ElasticSearch 的 Helm Chart 模板是 ES 官方 Github 獲取的,它的 Github 地址為 https://github.com/elastic/helm-charts。
# Helm 增加 Elastic 倉庫
$ helm repo add elastic https://helm.elastic.co
# 安裝 ElasticSearch Master 節點
$ helm install elasticsearch-master -f es-master.yaml --namespace $namespace --version 6.8.6 elastic/elasticsearch
# 安裝 ElasticSearch Data 節點
$ helm install elasticsearch-data -f es-data.yaml --namespace $namespace --version 6.8.6 elastic/elasticsearch
# 查看資源
$ kubectl get pod -n $namespace
es-01-data-0 1/1 Running 0 1m
es-01-data-1 1/1 Running 0 1m
es-01-master-0 1/1 Running 0 1m
es-01-master-1 1/1 Running 0 1m
測試訪問:
# curl xx:9200
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
# curl -u elastic:$password xx:9200
{
"name" : "es-01-data-1",
"cluster_name" : "es-01",
"cluster_uuid" : "8eNkuEcpSWa1tLGoSyN_Xg",
"version" : {
"number" : "6.8.6",
"build_flavor" : "default",
"build_type" : "docker",
"build_hash" : "3d9f765",
"build_date" : "2019-12-13T17:11:52.013738Z",
"build_snapshot" : false,
"lucene_version" : "7.7.2",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
至此,使用Helm部署帶認證的ES集群完畢!