DEV Community: guangyuan zhang The latest articles on DEV Community by guangyuan zhang (@guangyuan_zhang_c508769d0). https://dev.to/guangyuan_zhang_c508769d0 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2498228%2F603dc3d6-c95e-4c0d-9e50-1ccc63c2a1c5.png DEV Community: guangyuan zhang https://dev.to/guangyuan_zhang_c508769d0 en Elastic Cloud on Kubernetes (ECK) with custom domain name guangyuan zhang Tue, 03 Dec 2024 14:57:12 +0000 https://dev.to/guangyuan_zhang_c508769d0/elastic-cloud-on-kubernetes-eck-with-custom-domain-name-4o3k https://dev.to/guangyuan_zhang_c508769d0/elastic-cloud-on-kubernetes-eck-with-custom-domain-name-4o3k <h2> Prerequisites </h2> <ol> <li>Domain Name: You need a domain name (e.g., example.com) and access to its DNS settings.</li> <li>TLS Certificate: A valid TLS certificate for the custom domain. You can use Let's Encrypt or any other certificate authority (CA).</li> <li>Running ECK Cluster: An Elasticsearch cluster deployed and managed by ECK.</li> </ol> <h2> Provision TLS Certificates </h2> <p>Use Cert-Manager for automatic TLS certificate provisioning.</p> <ol> <li>Installation </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml or helm repo add jetstack https://charts.jetstack.io --force-update helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.16.2 \ --set crds.enabled=true </code></pre> </div> <ol> <li>Configuring issuers </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: admin@example.com #Update email with your contact email address. privateKeySecretRef: name: letsencrypt-prod solvers: - http01: ingress: class: nginx </code></pre> </div> <ol> <li>Update DNS Records</li> </ol> <ul> <li>Obtain the <a href="https://kubernetes.github.io/ingress-nginx/deploy/" rel="noopener noreferrer">ingress controller</a>'s external IP: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl get svc -n ingress-nginx </code></pre> </div> <ul> <li>Add a DNS record in your domain's control panel: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Type: A/CNAME Name: es.example.com Value: &lt;Ingress Controller External IP&gt; </code></pre> </div> <p>With Elastic Cloud on Kubernetes (ECK) you can extend the basic Kubernetes orchestration capabilities to easily deploy, secure, upgrade your Elasticsearch cluster, and much more.</p> <ol> <li>Install custom resource definitions: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl create -f https://download.elastic.co/downloads/eck/2.15.0/crds.yaml` </code></pre> </div> <ol> <li>Install the operator with its RBAC rules: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl apply -f https://download.elastic.co/downloads/eck/2.15.0/operator.yaml </code></pre> </div> <ol> <li>Configure Ingress </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl apply -f - &lt;&lt;EOF apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: eck annotations: cert-manager.io/cluster-issuer: "letsencrypt-prod" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" spec: ingressClassName: nginx tls: - secretName: eck-tls hosts: - es.example.com - kb.example.com rules: - host: es.example.com http: paths: - path: / pathType: Prefix backend: service: name: quickstart-es-http port: number: 9200 - host: kb.example.com http: paths: - path: / pathType: Prefix backend: service: name: quickstart-kb-http port: number: 5601 EOF </code></pre> </div> <p>Here we customize the configuration <code>spec.http</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> selfSignedCertificate: disabled: true certificate: secretName: eck-tls </code></pre> </div> <p>Disable the self signed certificate, and use the certificate requested from letencrypt by ingress which shows below⬇️.</p> <ol> <li>Deploy an Elasticsearch cluster and a Kibana instance </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl apply -f - &lt;&lt;EOF apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: quickstart spec: version: 8.16.1 http: tls: selfSignedCertificate: disabled: true certificate: secretName: eck-tls nodeSets: - name: default count: 3 config: node.store.allow_mmap: false --- apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: quickstart spec: version: 8.16.1 count: 1 elasticsearchRef: name: quickstart http: tls: selfSignedCertificate: disabled: true certificate: secretName: eck-tls EOF </code></pre> </div> <ul> <li> <code>cert-manager.io/cluster-issuer: "letsencrypt-prod"</code> annotation tells the ingress to use the <code>letsencrypt-prod</code> cluster issuer for certificate requests. Cluster issuer has declared above.</li> <li> <code>nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"</code> annotation is very <strong><em>important</em></strong>, for elasticsearch and kibanan are using https.</li> </ul> <p>Then you can visit elasticsearch/kibana via your own domain</p> kubernetes elasticsearch eck ingress