--- title: Elastic Cloud on Kubernetes (ECK)のElasticsearchとKibanaにcert-managerとIngressを使ってLet's Encryptの証明書を適用するメモ tags: ["Kubernetes", "Let's Encrypt", "TLS", "cert-manager", "ECK", "ytt", "Ingress", "Elasticsearch", "Kibana", "Elastic Stack"] categories: ["Dev", "CaaS", "Kubernetes", "ECK"] date: 2021-02-20T02:43:16Z updated: 2021-02-20T02:49:00Z --- [Elastic Cloud on Kubernetes](https://www.elastic.co/guide/en/cloud-on-k8s/current/index.html)で cert-managerを使う方法は[ドキュメント](https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-custom-http-certificate.html)に説明されているが、 self-signed certificateの方法しか載っていないので、Let's Encryptを使う方法をメモ。 type: LoadBalancerのServiceを使わず、また[Ingress Nginx](https://kubernetes.github.io/ingress-nginx/)を使ってElasticsearch、Kibanaにアクセスするようにしている。 `certificate.yml` ```yaml apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: certificate spec: secretName: certificate-tls issuerRef: name: letsencrypt-maki-lol kind: ClusterIssuer dnsNames: - '*.eck.maki.lol' ``` `elasticsearch.yml` ```yaml apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: quickstart spec: version: 7.11.1 nodeSets: - name: default count: 3 config: node.store.allow_mmap: false http: tls: certificate: secretName: certificate-tls --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: quickstart-es annotations: ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: HTTPS spec: tls: - secretName: certificate-tls hosts: - elasticsearch.eck.maki.lol rules: - host: elasticsearch.eck.maki.lol http: paths: - path: / pathType: Prefix backend: service: name: quickstart-es-http port: number: 9200 ``` `kibana.yml` ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: quickstart-kibana annotations: ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: HTTPS spec: tls: - secretName: certificate-tls hosts: - kibana.eck.maki.lol rules: - host: kibana.eck.maki.lol http: paths: - path: / pathType: Prefix backend: service: name: quickstart-kb-http port: number: 5601 --- apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: quickstart spec: version: 7.11.1 count: 1 elasticsearchRef: name: quickstart http: tls: certificate: secretName: certificate-tls ``` ``` kubectl apply -f certificate.yml -f elasticsearch.yml -f kibana.yml ``` でOK ![image](https://user-images.githubusercontent.com/106908/108580030-09eba600-736d-11eb-97df-4008d497c6cb.png) 同じ値の設定を繰り返したくないので、[ytt](https://carvel.dev/ytt)を使ってtemplate化する場合は、 `values.yml` ```yaml #@data/values --- name: quickstart cluster_issuer_name: letsencrypt-maki-lol tls_secret_name: certificate-tls subdomain: eck.maki.lol ``` `certificate.yml` ```yaml #@ load("@ytt:data", "data") apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: certificate spec: secretName: #@ data.values.tls_secret_name issuerRef: name: #@ data.values.cluster_issuer_name kind: ClusterIssuer dnsNames: - #@ "*.{}".format(data.values.subdomain) ``` `elasticsearch.yml` ```yaml #@ load("@ytt:data", "data") apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: #@ data.values.name spec: version: 7.11.1 nodeSets: - name: default count: 3 config: node.store.allow_mmap: false http: tls: certificate: secretName: #@ data.values.tls_secret_name --- #@ domain_name = "elasticsearch.{}".format(data.values.subdomain) apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: #@ "{}-es".format(data.values.name) annotations: ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" spec: tls: - secretName: #@ data.values.tls_secret_name hosts: - #@ domain_name rules: - host: #@ domain_name http: paths: - path: / pathType: Prefix backend: service: name: #@ "{}-es-http".format(data.values.name) port: number: 9200 ``` `kibana.yml` ```yaml #@ load("@ytt:data", "data") apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: #@ data.values.name spec: version: 7.11.1 count: 1 elasticsearchRef: name: #@ data.values.name http: tls: certificate: secretName: #@ data.values.tls_secret_name --- #@ domain_name = "kibana.{}".format(data.values.subdomain) kind: Ingress metadata: name: #@ "{}-kibana".format(data.values.name) annotations: ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" spec: tls: - secretName: #@ data.values.tls_secret_name hosts: - #@ domain_name rules: - host: #@ domain_name http: paths: - path: / pathType: Prefix backend: service: name: #@ "{}-kb-http".format(data.values.name) port: number: 5601 ``` ``` ytt -f certificate.yml -f elasticsearch.yml -f kibana.yml -f values.yml | kubectl apply -f- ``` でOK