Prerequisites
- Domain Name: You need a domain name (e.g., example.com) and access to its DNS settings.
- TLS Certificate: A valid TLS certificate for the custom domain. You can use Let's Encrypt or any other certificate authority (CA).
- Running ECK Cluster: An Elasticsearch cluster deployed and managed by ECK.
Provision TLS Certificates
Use Cert-Manager for automatic TLS certificate provisioning.
- Installation
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml
or
helm repo add jetstack https://charts.jetstack.io --force-update
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.16.2 \
--set crds.enabled=true
- Configuring issuers
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com #Update email with your contact email address.
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
- Update DNS Records
- Obtain the ingress controller's external IP:
kubectl get svc -n ingress-nginx
- Add a DNS record in your domain's control panel:
Type: A/CNAME
Name: es.example.com
Value: <Ingress Controller External IP>
With Elastic Cloud on Kubernetes (ECK) you can extend the basic Kubernetes orchestration capabilities to easily deploy, secure, upgrade your Elasticsearch cluster, and much more.
- Install custom resource definitions:
kubectl create -f https://download.elastic.co/downloads/eck/2.15.0/crds.yaml`
- Install the operator with its RBAC rules:
kubectl apply -f https://download.elastic.co/downloads/eck/2.15.0/operator.yaml
- Configure Ingress
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: eck
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
ingressClassName: nginx
tls:
- secretName: eck-tls
hosts:
- es.example.com
- kb.example.com
rules:
- host: es.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: quickstart-es-http
port:
number: 9200
- host: kb.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: quickstart-kb-http
port:
number: 5601
EOF
Here we customize the configuration spec.http
:
selfSignedCertificate:
disabled: true
certificate:
secretName: eck-tls
Disable the self signed certificate, and use the certificate requested from letencrypt by ingress which shows below⬇️.
- Deploy an Elasticsearch cluster and a Kibana instance
kubectl apply -f - <<EOF
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: quickstart
spec:
version: 8.16.1
http:
tls:
selfSignedCertificate:
disabled: true
certificate:
secretName: eck-tls
nodeSets:
- name: default
count: 3
config:
node.store.allow_mmap: false
---
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
name: quickstart
spec:
version: 8.16.1
count: 1
elasticsearchRef:
name: quickstart
http:
tls:
selfSignedCertificate:
disabled: true
certificate:
secretName: eck-tls
EOF
-
cert-manager.io/cluster-issuer: "letsencrypt-prod"
annotation tells the ingress to use theletsencrypt-prod
cluster issuer for certificate requests. Cluster issuer has declared above. -
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
annotation is very important, for elasticsearch and kibanan are using https.
Then you can visit elasticsearch/kibana via your own domain
Top comments (0)