kubernetes部署3节点高可用elasticsearch v8.14.3
kubernetes部署3节点eslasticsearch,分带证书和不带证书。
·
1 概述
一个yaml部署3节点的elasticsearch v8.14.3,修改storageclass名称后就能直接用。
2 环境准备
2.1 在华为云准备一个kubernetes集群
2.2 在华为云准备一个NAS作为PV底层存储
必须是NAS存储,不能是块存储,因为后续多个跨不同节点的pod会同时挂载到同一个PV。
2.3 创建kubernetes存储类
k8s storageclass的yaml如下,提交到k8s中即可,这个sc的名称叫做nfs,这个sc的名称叫做nfs,这个sc的名称叫做nfs,重要的事情重复三遍,这个名称会被后续的elasticsearch yaml引用。
apiVersion: storage.k8s.io/v1
allowVolumeExpansion: true
kind: StorageClass
metadata:
name: nfs
mountOptions:
- lock
parameters:
csi.storage.k8s.io/csi-driver-name: sfsturbo.csi.everest.io
csi.storage.k8s.io/fstype: nfs
everest.io/archive-on-delete: "true"
everest.io/share-access-to: fc1f5584-4423-4************ # VPC ID
everest.io/share-expand-type: bandwidth
everest.io/share-export-location: b134a******.sfsturbo.internal:/mydir # sfs turbo实例的共享路径:自定义子目录
everest.io/share-source: sfs-turbo
everest.io/share-volume-type: STANDARD
everest.io/volume-as: subpath
everest.io/volume-id: b134a****** # sfs turbo实例的ID
provisioner: everest-csi-provisioner
reclaimPolicy: Retain
volumeBindingMode: Immediate
3 部署不带证书的ES
elasticsearch的yaml如下,提交到k8s中即可:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: elasticsearch
spec:
serviceName: elasticsearch
podManagementPolicy: Parallel
replicas: 3
selector:
matchLabels:
app: elasticsearch
template:
metadata:
labels:
app: elasticsearch
spec:
initContainers:
- name: configure-sysctl
image: swr.cn-south-1.myhuaweicloud.com/migrator/busybox:1.36
command: ["sysctl", "-w", "vm.max_map_count=262144"]
securityContext:
privileged: true
containers:
- name: elasticsearch
image: swr.cn-south-1.myhuaweicloud.com/migrator/elasticsearch:8.14.3
resources:
limits:
cpu: "4"
memory: "8Gi"
requests:
cpu: "0.5"
memory: "1Gi"
ports:
- containerPort: 9200
name: http
- containerPort: 9300
name: transport
env:
- name: ES_JAVA_OPTS
value: "-Xms2g -Xmx2g"
volumeMounts:
- name: elasticsearch-data
mountPath: /usr/share/elasticsearch/data
- name: config
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml
- name: elasticsearch-logs
mountPath: /usr/share/elasticsearch/logs
livenessProbe:
httpGet:
path: /_cluster/health?local=true
port: 9200
scheme: HTTP
httpHeaders:
- name: Authorization
value: "Basic ZWxhc3RpYzpkaWZ5YWkxMjM0NTY="
initialDelaySeconds: 30
timeoutSeconds: 5
periodSeconds: 30
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /_cluster/health?local=true
port: 9200
scheme: HTTP
httpHeaders:
- name: Authorization
value: "Basic ZWxhc3RpYzpkaWZ5YWkxMjM0NTY="
initialDelaySeconds: 30
timeoutSeconds: 5
periodSeconds: 30
successThreshold: 1
failureThreshold: 3
volumes:
- name: config
configMap:
name: elasticsearch-config
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
labels:
app: elasticsearch
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: nfs
resources:
requests:
storage: 50Gi
- metadata:
name: elasticsearch-logs
labels:
app: elasticsearch
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: nfs
resources:
requests:
storage: 4Gi
---
apiVersion: v1
kind: Service
metadata:
name: elasticsearch
labels:
app: elasticsearch
spec:
ports:
- port: 9200
name: http
- port: 9300
name: transport
clusterIP: None
selector:
app: elasticsearch
---
apiVersion: v1
kind: ConfigMap
metadata:
name: elasticsearch-config
data:
elasticsearch.yml: |
cluster.name: es-cluster
node.name: ${HOSTNAME}
network.host: 0.0.0.0
discovery.seed_hosts: ["elasticsearch-0.elasticsearch", "elasticsearch-1.elasticsearch", "elasticsearch-2.elasticsearch"]
cluster.initial_master_nodes: ["elasticsearch-0", "elasticsearch-1", "elasticsearch-2"]
xpack.security.enrollment.enabled: true
xpack.security.http.ssl.enabled: false
bootstrap.memory_lock: false
indices.memory.index_buffer_size: 10%
indices.queries.cache.size: 5%
action.destructive_requires_name: true
xpack.security.transport.ssl.enabled: false
xpack.security.enabled: false
node.roles: ["master", "data", "ingest"]
部署结果如下:
4 部署带证书的ES
transport开启SSL,HTTP不开启SSL,整个yaml如下:
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: elasticsearch
spec:
serviceName: elasticsearch
podManagementPolicy: Parallel
replicas: 3
selector:
matchLabels:
app: elasticsearch
template:
metadata:
labels:
app: elasticsearch
spec:
initContainers:
- name: configure-sysctl
image: swr.cn-south-1.myhuaweicloud.com/migrator/busybox:1.36
command: ["sysctl", "-w", "vm.max_map_count=262144"]
securityContext:
privileged: true
- name: init-cert
image: swr.cn-south-1.myhuaweicloud.com/migrator/elasticsearch:8.14.3
command:
- sh
- -c
- 'ls /opt/certs/ca.p12 && bin/elasticsearch-certutil cert --days 3650 --silent --ca /opt/certs/ca.p12 --ca-pass "" --name $HOSTNAME -dns $HOSTNAME.elasticsearch,localhost --ip $POD_IP,127.0.0.1 --out /certs/$HOSTNAME.p12 --pass ""'
env:
- name: POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
volumeMounts:
- name: certs
mountPath: /certs
- name: secret-certs
mountPath: /opt/certs/ca.p12
subPath: ca.p12
readOnly: true
containers:
- name: elasticsearch
image: swr.cn-south-1.myhuaweicloud.com/migrator/elasticsearch:8.14.3
resources:
limits:
cpu: "4"
memory: "8Gi"
requests:
cpu: "0.5"
memory: "1Gi"
ports:
- containerPort: 9200
name: http
- containerPort: 9300
name: transport
env:
- name: ES_JAVA_OPTS
value: "-Xms2g -Xmx2g"
- name: POD_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: ELASTIC_PASSWORD
value: difyai123456
volumeMounts:
- name: elasticsearch-data
mountPath: /usr/share/elasticsearch/data
- name: config
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml
subPath: elasticsearch.yml
- name: elasticsearch-logs
mountPath: /usr/share/elasticsearch/logs
- name: certs
mountPath: /usr/share/elasticsearch/config/certs
- name: secret-certs
mountPath: /usr/share/elasticsearch/config/certs/ca.p12
subPath: ca.p12
readOnly: true
livenessProbe:
httpGet:
path: /_cluster/health?local=true
port: 9200
scheme: HTTP
httpHeaders:
- name: Authorization
value: "Basic ZWxhc3RpYzpkaWZ5YWkxMjM0NTY="
initialDelaySeconds: 50
timeoutSeconds: 5
periodSeconds: 30
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /_cluster/health?local=true
port: 9200
scheme: HTTP
httpHeaders:
- name: Authorization
value: "Basic ZWxhc3RpYzpkaWZ5YWkxMjM0NTY="
initialDelaySeconds: 50
timeoutSeconds: 5
periodSeconds: 30
successThreshold: 1
failureThreshold: 3
volumes:
- name: config
configMap:
name: elasticsearch-config
- name: certs
emptyDir: {}
- name: secret-certs
secret:
secretName: elasticsearch-certs
defaultMode: 0777
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
labels:
app: elasticsearch
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: nfs
resources:
requests:
storage: 50Gi
- metadata:
name: elasticsearch-logs
labels:
app: elasticsearch
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: nfs
resources:
requests:
storage: 4Gi
---
apiVersion: v1
kind: Service
metadata:
name: elasticsearch
labels:
app: elasticsearch
spec:
ports:
- port: 9200
name: http
- port: 9300
name: transport
clusterIP: None
selector:
app: elasticsearch
---
apiVersion: v1
kind: ConfigMap
metadata:
name: elasticsearch-config
data:
elasticsearch.yml: |
cluster.name: es-cluster
node.name: ${HOSTNAME}
network.host: 0.0.0.0
node.roles: ["master", "data", "ingest"]
discovery.seed_hosts: ["elasticsearch-0.elasticsearch", "elasticsearch-1.elasticsearch", "elasticsearch-2.elasticsearch"]
cluster.initial_master_nodes: ["elasticsearch-0", "elasticsearch-1", "elasticsearch-2"]
indices.memory.index_buffer_size: 10%
indices.queries.cache.size: 5%
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl.enabled: false
bootstrap.memory_lock: false
action.destructive_requires_name: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/${HOSTNAME}.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/${HOSTNAME}.p12
---
apiVersion: v1
data:
ca.p12: MIIKbAIBAzCCChYGCSqGSIb3DQEHAaCCCgcEggoDMIIJ/zCCBaYGCSqGSIb3DQEHAaCCBZcEggWTMIIFjzCCBYsGCyqGSIb3DQEMCgECoIIFQDCCBTwwZgYJKoZIhvcNAQUNMFkwOAYJKoZIhvcNAQUMMCsEFMbZw4STPXyTSNmpN6mHdWLzfxKFAgInEAIBIDAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQZokL1Tf2AwuBZRIkPhVyEASCBNCvnCeiurBk+Hr1NXShsKIfwM+5MfivvDDjAwbnlCNfKII4an4mBq2l7095wo3bwVPb9JYtFrsjFrTrFPG/eg2AFOqG0fXdrt4f1p9x2NwYN1a/orVl0XGO7G5rHDybbL6aR4eCZOCLZOR4GarnMNk7C1l9W9J46TiF0Bssa0bYDyiP8EmLLLb+oRaobvXdfKPv4PtEL5yG4sG9bljtrQdnniC14s2wxUISFI+srVkVdU3Yp8vJ1W1fvokHeWrhj5JqX775Rm2MuTrqA1PC1EoG6J2eCnPGQEDpX/BGQChiQRi3tE/GJazD++urloDiGMiib8YXQLb8Q4Czs23OE53m99hb2e9zgS93APltNtimoHBLf09uI7MymWF60u1FVrgNAUqsNUamk1MtlpSW5kYgJpJeBKAWgE4E3PjQfzC2mOT1DSsdRl4sXiU/kYdY9ujIjLjJYENdy7rm5y4IHbh9gIsG/C7UZKUksBJrAE+YinoUDXB1/412kvrnEK6jiEQ1SODlZ4oW7nP3lJTyNOQaJXLGujyKp04ADeTOZ1saFs76ECXkprdFGHCizUjZowq2pA5Hg35s/lFws4Hi/q5vyq9/l9rLUK44d7bQD3xYm6HNeU+1PQIhhWAOa7ixXHEyLwnN0PFe5vne84M/k4OJ2D2MQUrcYidFT9czDy5A5txfjWrCAIiv7ZI+fIW4+z0df9sFVBQkir0Ggz8YtcTbset/hQBTSRAMMB6J1K6ZV3leXbSk2IcyTZn/S+gRjjrf13HRvFtjZuvVbmkMaDaAxoau5O35Jfvd6w7CMejnIl0ffSosTxTEUVI+2B+HvtUs3DcxKV9W8YGefR/7QHBc0yht8WinZz4qCbnkvlTsGTz1QIjgcRZzv3kDyf52mtkGoSa4kpaPCHy24/BUnW/ZkuonDr0l84tqIahEp6yy52dI3yafRBJzEe7lHQNWlRWnAcmcUE+7DK4US6jBKyr5dDgtiwSMSYZu3Xe9HnX4tms4FeaJ+kMcD1BnWNUbe//plQMHQF6eZcXqjY+FxC7Nehf4vh8VvBnnd/4K/C9KBz4+ztgdtgalvh0lelEvGXXTNUY/wb2ZCPSUsBosXQJLS0QSwcybARgh9PxRg/gTXDMHTSGtirZVpQrMfHpqLgQH+YR3UCnYOj8pKwd5sifNYVIhYNKDRL70a6L1YjfT+F+NqJcWf8BtR62Pvb+yu0aX0pjkmPxPGEkQ+qaPuc3V5rNUkQHziu7XcfxjkQ0Lg0oFy1iq65FZsGaNTe0FgXaSb8zmdoDxRREq5pSgjSOv/+IZiBnqm7IrI7PkwzzdCWoq+KbUrVqup9o7slm1oIkIudotGBb+jv+b8Xgrptvsg1TMECkcK9XKGc3qiBUp+LflFZ8jgbTkoWKhXYyjtxwwZzun5/mb/gI0r14W3LUWHekGuX6H6lJMoyfQqb1BVuK+nwQm4Q+Hdl0Ywwlmgn1keCaxG39TN9TXKBg21OvfbnjoP+3BzQJrsfq7bCCFCg1A1h/Mjlx2TJfzn4oVdz6aL15OCrU1Xc7sEeBgMrBKFTjSyjU7iSX0E711t3rcZFqXCH416dusIhH1v9Cv+PMkESaAxcpBsw62au7oJMkAaA02lc7Qq/xMiXH6COlpKzE4MBMGCSqGSIb3DQEJFDEGHgQAYwBhMCEGCSqGSIb3DQEJFTEUBBJUaW1lIDE3NTEyMDc0MTA1NjUwggRRBgkqhkiG9w0BBwagggRCMIIEPgIBADCCBDcGCSqGSIb3DQEHATBmBgkqhkiG9w0BBQ0wWTA4BgkqhkiG9w0BBQwwKwQUyw6q2CYa2Ljqr6W/N1zi5ujhKiICAicQAgEgMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAqgAPaC4Tfvcwei2HKXUE0gIIDwNATK2rpBvr+X/KPZ7n27YuXS2shMyL39A0e/FemSndCnDuMqRbwWegU/Bw9CR7hI2Xt5MIjiZymsnbMeULiyepJoj2C2NzGOjyBVv1N4JS04dGW+opYdmWIMyWvv+bw3XjEVvEdxBbbV7W4Y+mOJMMD2xQJwK8P00U+15XwZ7mujBwjL15HocVSg1K+hc/AIP5GKJSaFPiIv4x9pFaaifz0nL4u5GklFLzSV8KJWAUoLV+5y8mcXcryfUv4aVtP/CqRHD+Lz2iIJvwQlGSggtLNCcGnKE0JxrjuhulIcaXadnUxhTup6Ckkv9iM7Bgf1tnky2k8biiAfqrjogLHYlDQSS5w+m7k4rbh8fd7sXIQlSlFrmyMPgRfM+59zOb1aDMUCOHVALVomce4pUf6d1W8BuMQm0/eh1UH7ZhmFqTvEGD2NMvuyLlRbz9R5B71Af8wecmHZojhJUZoWVBvPjeieLGIqTLK/oBe9aeIoN1FJcsta48aIFv2vnXb51yjafVtlMRTdpk45xKua152YFhuea+p+u0ojKs9WKlj8rd5RVyFC133ij3/bM5YcSAzsDIX839tZa+sio87q1gNdfL7TnxAf2SY3alDmut1zk9oh5922p680gA3lwKKgfnExrEDshtxwL7+RDuXcJ6KS9wSsr+6QBkeeQRP/YTwrFGkgJBqeegWE2Xmm+c9dPL9RZQrZcPoWQFv3wy2BCCUW3TWWf3n6ZKNahnFOQ4MaMshNNUWT1GFbQppBsQm5hT04TozsFIdYP891kitf0souCEWVYfkG8YB1WedB0/g5EsdDP6u2oF+oW+YSM2wcKxQNyzUe9HY7/5pnkjwsc6qLtDBN6G0PR6wLEBRnUNY7ISjMu1JiWeEca9VpYn2eEIumwtCLkq6TXhBiueU/8S0bo4hd+1AT0yQlYzUjSYVooN3ceRPhZymq4uGAaA/H/SJ7WTgIRploBoPVlYTP1ECoAvbOc3SePcoa83TBaWqGGJdKbfGxQ7GHCnP/AA86cck1SJjD0FNolOALL97/NgkwLlGxW2BwpuPv9i4cFCDqz7v+fbZ/6Ft4U0/CRZugevlsYa/8IY3IN1E7Gs/71XvEJRmygUIx23LliymBZw7hFGIXYMfDGWCFvW8kNucmuzd3Vkz5fEmQHDl50RZ65YBpyReBRoRlbiQQumtfPYQvJsJiP4Q4vJzl+wtOHc8vwH9iaSkWM6JitHNeCY8h6j0XX57VRR1U7+imOcbZsXjWuMstJ9VyxzsF5kj3ekQWBkImjBNMDEwDQYJYIZIAWUDBAIBBQAEIBvKQ1QlXTu+i+09C75cSPmcsFldGhGHfFhVHDmvhbPvBBT7GslIQCYKcAmYQIHFzaendImCogICJxA=
kind: Secret
metadata:
name: elasticsearch-certs
type: Opaque
选择其中一个IP为10.0.4.253的ES实例,用openssl工具查看其证书信息,结果如下:
火山引擎开发者社区是火山引擎打造的AI技术生态平台,聚焦Agent与大模型开发,提供豆包系列模型(图像/视频/视觉)、智能分析与会话工具,并配套评测集、动手实验室及行业案例库。社区通过技术沙龙、挑战赛等活动促进开发者成长,新用户可领50万Tokens权益,助力构建智能应用。
更多推荐
7
0- 0
已为社区贡献11条内容
所有评论(0)