Prerequisites
- Domain Name: You need a domain name (e.g., example.com) and access to its DNS settings.
- TLS Certificate: A valid TLS certificate for the custom domain. You can use Let's Encrypt or any other certificate authority (CA).
- Running ECK Cluster: An Elasticsearch cluster deployed and managed by ECK.
Provision TLS Certificates
Use Cert-Manager for automatic TLS certificate provisioning.
- Installation
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml or helm repo add jetstack https://charts.jetstack.io --force-update helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.16.2 \ --set crds.enabled=true - Configuring issuers
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: admin@example.com #Update email with your contact email address. privateKeySecretRef: name: letsencrypt-prod solvers: - http01: ingress: class: nginx - Update DNS Records
- Obtain the ingress controller's external IP:
kubectl get svc -n ingress-nginx - Add a DNS record in your domain's control panel:
Type: A/CNAME Name: es.example.com Value: <Ingress Controller External IP> With Elastic Cloud on Kubernetes (ECK) you can extend the basic Kubernetes orchestration capabilities to easily deploy, secure, upgrade your Elasticsearch cluster, and much more.
- Install custom resource definitions:
kubectl create -f https://download.elastic.co/downloads/eck/2.15.0/crds.yaml` - Install the operator with its RBAC rules:
kubectl apply -f https://download.elastic.co/downloads/eck/2.15.0/operator.yaml - Configure Ingress
kubectl apply -f - <<EOF apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: eck annotations: cert-manager.io/cluster-issuer: "letsencrypt-prod" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" spec: ingressClassName: nginx tls: - secretName: eck-tls hosts: - es.example.com - kb.example.com rules: - host: es.example.com http: paths: - path: / pathType: Prefix backend: service: name: quickstart-es-http port: number: 9200 - host: kb.example.com http: paths: - path: / pathType: Prefix backend: service: name: quickstart-kb-http port: number: 5601 EOF Here we customize the configuration spec.http:
selfSignedCertificate: disabled: true certificate: secretName: eck-tls Disable the self signed certificate, and use the certificate requested from letencrypt by ingress which shows below⬇️.
- Deploy an Elasticsearch cluster and a Kibana instance
kubectl apply -f - <<EOF apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: quickstart spec: version: 8.16.1 http: tls: selfSignedCertificate: disabled: true certificate: secretName: eck-tls nodeSets: - name: default count: 3 config: node.store.allow_mmap: false --- apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: quickstart spec: version: 8.16.1 count: 1 elasticsearchRef: name: quickstart http: tls: selfSignedCertificate: disabled: true certificate: secretName: eck-tls EOF -
cert-manager.io/cluster-issuer: "letsencrypt-prod"annotation tells the ingress to use theletsencrypt-prodcluster issuer for certificate requests. Cluster issuer has declared above. -
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"annotation is very important, for elasticsearch and kibanan are using https.
Then you can visit elasticsearch/kibana via your own domain
Top comments (1)
This is helpful. How do you specify the hostname that Kibana uses to talk to to Elasticsearch? I assume that Kibana will use quickstart.default.cluster.local since that is the default K8 domain. Wouldn't this lead to a mismatch since the certificate has been issued for es.example.com?