Skip to content

Latest commit

 

History

History
206 lines (194 loc) · 5.3 KB

single-node-sample.md

File metadata and controls

206 lines (194 loc) · 5.3 KB
Raw

Single cluster node sample

In this sample, we will deploy an Elasticsearch cluster with single node on namespace cluster-dev

Some infos:

  • It will get the data, master and ingest role.
  • It will be accessible by ingress with https://elasticsearch-cluster-dev.domain.local
  • It use platinium license to get Active directory auth
  • It attach PVC of type NFS to store snapshot
  • It set soft anti affinity (not really need on single node)
  • It inject custom CA on java cacerts
  • It inject some secrets on java keystore

we need to create some resources here (secret, pvc) because of we use platinium license, we use Active directory auth and we add NFS volume to store snapshot. We also inject custom CA on cacerts to access on-premise S3 storage.

elasticsearch.yaml:

apiVersion: elasticsearch.k8s.webcenter.fr/v1
kind: Elasticsearch
metadata:
  labels:
    socle: cluster-dev
  name: elasticsearch
  namespace: cluster-dev
spec:
  clusterName: cluster-dev
  endpoint:
    ingress:
      enabled: true
      annotations:
        nginx.ingress.kubernetes.io/proxy-body-size: 512M
        nginx.ingress.kubernetes.io/proxy-connect-timeout: '600'
        nginx.ingress.kubernetes.io/proxy-read-timeout: '600'
        nginx.ingress.kubernetes.io/proxy-send-timeout: '600'
        nginx.ingress.kubernetes.io/ssl-redirect: 'true'
      host: elasticsearch-cluster-dev.domain.local
      secretRef:
        name: es-tls
  globalNodeGroup:
    additionalVolumes:
      - mountPath: /mnt/snapshot
        name: snapshot
        persistentVolumeClaim:
          claimName: pvc-elasticsearch-snapshot
    antiAffinity:
      type: soft
    caSecretRef:
      name: custom-ca
    config:
      elasticsearch.yml: |
        action.destructive_requires_name: true
        gateway.recover_after_time: 5m
        http.cors.allow-credentials: true
        http.cors.allow-headers: X-Requested-With,X-Auth-Token,Content-Type,
        Content-Length, Authorization
        http.cors.allow-origin: /.*/
        http.cors.enabled: true
        http.max_content_length: 500mb

        # Repository
        path.repo:
          - /mnt/snapshot

        xpack.security.audit.enabled: true
        xpack.security.audit.logfile.events.exclude:
          - access_granted
        xpack.security.authc:
          anonymous:
            authz_exception: false
            roles: monitoring
            username: anonymous_user
          realms:
            active_directory.active_directory:
              order: 2
              url:
                - "ldap://dc1.domain.local:389"
                - "ldap://dc2.domain.local:389"
              load_balance.type: "failover"
              follow_referrals: true
              bind_dn: "${ELASTICSEARCH_LDAP_USER}"
              timeout.ldap_search: 60s
              domain_name: DOMAIN
              user_search:
                base_dn: "DC=DOMAIN,DC=LOCAL"
                scope: sub_tree
              group_search:
                base_dn: "OU=Users,DC=DOMAIN,DC=LOCAL"
                scope: sub_tree
              unmapped_groups_as_roles: false
        
        # Custom config
        cluster.routing.allocation.disk.watermark.flood_stage: 1gb
        cluster.routing.allocation.disk.watermark.high: 1gb
        cluster.routing.allocation.disk.watermark.low: 2gb
        gateway.expected_data_nodes: 1
        gateway.recover_after_data_nodes: 1
    envFrom:
      - secretRef:
          name: elasticsearch-env
    initContainerResources:
      limits:
        cpu: 500m
        memory: 256Mi
      requests:
        cpu: 25m
        memory: 64Mi
    keystoreSecretRef:
      name: elasticsearch-keystore
  licenseSecretRef:
    name: elasticsearch-license
  nodeGroups:
    - name: all
      persistence:
        volumeClaim:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 20Gi
          storageClassName: local-path
      replicas: 1
      resources:
        limits:
          cpu: 1000m
          memory: 4Gi
        requests:
          cpu: 250m
          memory: 4Gi
      roles:
        - master
        - data_hot
        - data_content
        - ingest
      waitClusterStatus: yellow
  setVMMaxMapCount: true
  tls:
    enabled: true
    keySize: 2048
    renewalDays: 365
    validityDays: 1000
  version: 8.7.1

custom-ca-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: custom-ca
  namespace: cluster-dev
type: Opaque
data:
  custom-ca.crt: ++++++++

elasticsearch-env-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: elasticsearch-env
  namespace: cluster-dev
type: Opaque
data:
  ELASTICSEARCH_LDAP_USER: ++++++++

elasticsearch-keystore-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: elasticsearch-keystore
  namespace: cluster-dev
type: Opaque
data:
  xpack.security.authc.realms.active_directory.active_directory.secure_bind_password: ++++++++

elasticsearch-license-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: elasticsearch-license
  namespace: cluster-dev
type: Opaque
data:
  license: ++++++++

pvc-elasticsearch-snapshot.yaml:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-elasticsearch-snapshot
  namespace: cluster-dev
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
  storageClassName: nfs-client