Elastic Cloud on Kubernetes (ECK)のElasticsearchとKibanaにcert-managerとIngressを使ってLet's Encryptの証明書を適用するメモ
Elastic Cloud on Kubernetesで cert-managerを使う方法はドキュメントに説明されているが、 self-signed certificateの方法しか載っていないので、Let's Encryptを使う方法をメモ。 type: LoadBalancerのServiceを使わず、またIngress Nginxを使ってElasticsearch、Kibanaにアクセスするようにしている。
certificate.yml
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: certificate
spec:
secretName: certificate-tls
issuerRef:
name: letsencrypt-maki-lol
kind: ClusterIssuer
dnsNames:
- '*.eck.maki.lol'
elasticsearch.yml
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: quickstart
spec:
version: 7.11.1
nodeSets:
- name: default
count: 3
config:
node.store.allow_mmap: false
http:
tls:
certificate:
secretName: certificate-tls
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: quickstart-es
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
tls:
- secretName: certificate-tls
hosts:
- elasticsearch.eck.maki.lol
rules:
- host: elasticsearch.eck.maki.lol
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: quickstart-es-http
port:
number: 9200
kibana.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: quickstart-kibana
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
tls:
- secretName: certificate-tls
hosts:
- kibana.eck.maki.lol
rules:
- host: kibana.eck.maki.lol
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: quickstart-kb-http
port:
number: 5601
---
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
name: quickstart
spec:
version: 7.11.1
count: 1
elasticsearchRef:
name: quickstart
http:
tls:
certificate:
secretName: certificate-tls
kubectl apply -f certificate.yml -f elasticsearch.yml -f kibana.yml
でOK
同じ値の設定を繰り返したくないので、yttを使ってtemplate化する場合は、
values.yml
#@data/values
---
name: quickstart
cluster_issuer_name: letsencrypt-maki-lol
tls_secret_name: certificate-tls
subdomain: eck.maki.lol
certificate.yml
#@ load("@ytt:data", "data")
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: certificate
spec:
secretName: #@ data.values.tls_secret_name
issuerRef:
name: #@ data.values.cluster_issuer_name
kind: ClusterIssuer
dnsNames:
- #@ "*.{}".format(data.values.subdomain)
elasticsearch.yml
#@ load("@ytt:data", "data")
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: #@ data.values.name
spec:
version: 7.11.1
nodeSets:
- name: default
count: 3
config:
node.store.allow_mmap: false
http:
tls:
certificate:
secretName: #@ data.values.tls_secret_name
---
#@ domain_name = "elasticsearch.{}".format(data.values.subdomain)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: #@ "{}-es".format(data.values.name)
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- secretName: #@ data.values.tls_secret_name
hosts:
- #@ domain_name
rules:
- host: #@ domain_name
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: #@ "{}-es-http".format(data.values.name)
port:
number: 9200
kibana.yml
#@ load("@ytt:data", "data")
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
name: #@ data.values.name
spec:
version: 7.11.1
count: 1
elasticsearchRef:
name: #@ data.values.name
http:
tls:
certificate:
secretName: #@ data.values.tls_secret_name
---
#@ domain_name = "kibana.{}".format(data.values.subdomain)
kind: Ingress
metadata:
name: #@ "{}-kibana".format(data.values.name)
annotations:
ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- secretName: #@ data.values.tls_secret_name
hosts:
- #@ domain_name
rules:
- host: #@ domain_name
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: #@ "{}-kb-http".format(data.values.name)
port:
number: 5601
ytt -f certificate.yml -f elasticsearch.yml -f kibana.yml -f values.yml | kubectl apply -f-
でOK