文章目录
由于之前使用helm部署EFK,感觉在过程上有些麻。因此我在helm-charts的7.16分支上写了一个job,使得用户名密码及ssl证书可以自动生成并在k8s里创建secret。所以部署时ssl是默认开启的。
helm-charts:7.16分支的改动纯属个人兴趣,仅作参考。
官方
elastic/helm-charts在最新的改动中也实现了自动生成证书的功能。
$ git clone https://github.com/cloudenmin/helm-charts.git
$ git checkout 7.16
values.yaml
默认用户名:elastic
默认密码:P@ssw0rD
security:
username: "elastic"
password: "P@ssw0rD"
部署es
$ cd elasticsearch
$ helm install elasticsearch . -n efk --create-namespace
部署结果:
$ kubectl get pod -n efk
NAME READY STATUS RESTARTS AGE
elasticsearch-master-0 1/1 Running 0 2m
elasticsearch-master-1 1/1 Running 0 2m
elasticsearch-master-2 1/1 Running 0 2m
修改values.yaml
elasticsearchHosts: "https://elasticsearch-master-headless.efk.svc.cluster.local:9200"
部署Kibana
$ cd kibana
$ helm install kibana . -n efk
部署结果:
NAME READY STATUS RESTARTS AGE
elasticsearch-master-0 1/1 Running 0 13m
elasticsearch-master-1 1/1 Running 0 13m
elasticsearch-master-2 1/1 Running 0 13m
kibana-79465dfb9f-chxft 1/1 Running 0 72s
访问https://${host_ip}:30601
创建了一个job.yaml
{{- if .Values.security.enable }}
{{- $serviceAccountName := .Values.security.rbac.serviceAccountName }}
---
# 因为涉及到secret的操作,所以创建了一个新的seviceaccount,并赋予相关权限
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}"
app: "{{ template "elasticsearch.uname" . }}"
annotations:
"helm.sh/hook": pre-install,post-delete
"helm.sh/hook-weight": "-7"
"helm.sh/hook-delete-policy": before-hook-creation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}"
app: "{{ template "elasticsearch.uname" . }}"
annotations:
"helm.sh/hook": pre-install,post-delete
"helm.sh/hook-weight": "-6"
"helm.sh/hook-delete-policy": before-hook-creation
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- create
- update
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}"
app: "{{ template "elasticsearch.uname" . }}"
annotations:
"helm.sh/hook": pre-install,post-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
# 执行一个job,创建用户及证书相关secret
# job在执行完成后自动删除。
apiVersion: batch/v1
kind: Job
metadata:
name: elastic-security-config
namespace: {{ .Release.Namespace | quote }}
annotations:
"helm.sh/hook": pre-install,post-delete
"helm.sh/hook-weight": "-4"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
labels:
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: "{{ .Chart.Name }}"
app: "{{ template "elasticsearch.uname" . }}"
spec:
ttlSecondsAfterFinished: 100
template:
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
containers:
- name: create-security-config
image: "{{ .Values.image }}:{{ .Values.imageTag }}"
imagePullPolicy: "{{ .Values.imagePullPolicy }}"
env:
- name: USERNAME
value: {{ .Values.security.username | b64enc}}
- name: PASSWORD
value: {{ .Values.security.password | b64enc}}
- name: NAMESPACE
value: {{ .Release.Namespace }}
command:
{{ toYaml .Values.security.command | indent 12 -}}
{{- end }}
job执行的脚本:
定义在values.yaml里
security:
command:
- bash
- -c
- |
#!/bin/bash
KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
KUBE_CERT='/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
SECRET_URL=https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets
delete_secret(){
if [ $(curl -sw '%{http_code}' --cacert ${KUBE_CERT} -X GET $SECRET_URL/$1 -H 'Content-Type: application/json' -H 'Authorization: Bearer '${KUBE_TOKEN} -o /dev/null) -eq 200 ]; then
if [ $(curl -sw '%{http_code}' --cacert ${KUBE_CERT} -X DELETE $SECRET_URL/$1 -H 'Content-Type: application/json' -H 'Authorization: Bearer '${KUBE_TOKEN} -o /dev/null) -eq 200 ]; then
echo "deleting "$1" successfully!"
fi
else
echo $1" does not exist"
fi
}
# 删除旧的secret
delete_secret elastic-credentials
delete_secret elastic-certificates
delete_secret elastic-certificate-pem
delete_secret elastic-certificate-crt
elasticsearch-certutil ca --out elastic-stack-ca.p12 --pass ''
elasticsearch-certutil cert --name security-master --dns security-master --ca elastic-stack-ca.p12 --pass '' --ca-pass '' --out elastic-certificates.p12
openssl pkcs12 -nodes -passin pass:'' -in elastic-certificates.p12 -out elastic-certificate.pem
openssl x509 -outform der -in elastic-certificate.pem -out elastic-certificate.crt
create_user_secret(){
DATA='{"apiVersion":"v1","kind":"Secret","type":"Opaque","metadata":{"name":"elastic-credentials","namespace":"'${NAMESPACE}'"},"data":{"password":"'${PASSWORD}'","username":"'${USERNAME}'"}}'
HTTP_CODE=$(curl -sw '%{http_code}' --cacert ${KUBE_CERT} -X POST $SECRET_URL -H 'Content-Type: application/json' -H 'Authorization: Bearer '${KUBE_TOKEN} -d $DATA -o /dev/null)
if [ $HTTP_CODE -eq 201 ]; then
echo $HTTP_CODE": creating elastic-credentials successfully!"
else
echo $HTTP_CODE": failed to create elastic-credentials!"
fi
}
# 创建用户名密码
create_user_secret
create_certifcate_secret(){
DATA='{"apiVersion":"v1","kind":"Secret","type":"Opaque","metadata":{"name":"'$1'","namespace":"'${NAMESPACE}'"},"data":{"'$2'":"'$(cat $2 | base64 -w0)'"}}'
HTTP_CODE=$(curl -sw '%{http_code}' --cacert ${KUBE_CERT} -X POST $SECRET_URL -H 'Content-Type: application/json' -H 'Authorization: Bearer '${KUBE_TOKEN} -d $DATA -o /dev/null)
if [ $HTTP_CODE -eq 201 ]; then
echo $HTTP_CODE": creating "$1" successfully!"
else
echo $HTTP_CODE": failed to create a "$1"!"
fi
}
# 创建证书
create_certifcate_secret elastic-certificates elastic-certificates.p12
create_certifcate_secret elastic-certificate-pem elastic-certificate.pem
create_certifcate_secret elastic-certificate-crt elastic-certificate.crt
这是在Ruby中设置默认值的常用方法:classQuietByDefaultdefinitialize(opts={})@verbose=opts[:verbose]endend这是一个容易落入的陷阱:classVerboseNoMatterWhatdefinitialize(opts={})@verbose=opts[:verbose]||trueendend正确的做法是:classVerboseByDefaultdefinitialize(opts={})@verbose=opts.include?(:verbose)?opts[:verbose]:trueendend编写Verb
我想设置一个默认日期,例如实际日期,我该如何设置?还有如何在组合框中设置默认值顺便问一下,date_field_tag和date_field之间有什么区别? 最佳答案 试试这个:将默认日期作为第二个参数传递。youcorrectlysetthedefaultvalueofcomboboxasshowninyourquestion. 关于ruby-on-rails-date_field_tag,如何设置默认日期?[rails上的ruby],我们在StackOverflow上找到一个类似的问
两者都可以defsetup(options={})options.reverse_merge:size=>25,:velocity=>10end和defsetup(options={}){:size=>25,:velocity=>10}.merge(options)end在方法的参数中分配默认值。问题是:哪个更好?您更愿意使用哪一个?在性能、代码可读性或其他方面有什么不同吗?编辑:我无意中添加了bang(!)...并不是要询问nobang方法与bang方法之间的区别 最佳答案 我倾向于使用reverse_merge方法:option
我是Google云的新手,我正在尝试对其进行首次部署。我的第一个部署是RubyonRails项目。我基本上是在关注thisguideinthegoogleclouddocumentation.唯一的区别是我使用的是我自己的项目,而不是他们提供的“helloworld”项目。这是我的app.yaml文件runtime:customvm:trueentrypoint:bundleexecrackup-p8080-Eproductionconfig.ruresources:cpu:0.5memory_gb:1.3disk_size_gb:10当我转到我的项目目录并运行gcloudprevie
我可以在Azure网站上部署RubyonRails吗? 最佳答案 还没有。目前仅支持.NET和PHP。 关于ruby-on-rails-RubyonRails可以部署在Azure网站上吗?,我们在StackOverflow上找到一个类似的问题: https://stackoverflow.com/questions/12964010/
文章目录一、概述简介原理模块二、配置Mysql使用版本环境要求1.操作系统2.mysql要求三、配置canal-server离线下载在线下载上传解压修改配置单机配置集群配置分库分表配置1.修改全局配置2.实例配置垂直分库水平分库3.修改group-instance.xml4.启动监听四、配置canal-adapter1修改启动配置2配置映射文件3启动ES数据同步查询所有订阅同步数据同步开关启动4.验证五、配置canal-admin一、概述简介canal是Alibaba旗下的一款开源项目,Java开发。基于数据库增量日志解析,提供增量数据订阅&消费。Git地址:https://github.co
前置步骤我们都操作完了,这篇开始介绍jenkins的集成。话不多说,看操作1、登录进入jenkins后会让你选择安装插件,选择第一个默认的就行。安装完成后设置账号密码,重新登录。2、配置JDK和Git都需要执行路径,所以需要先把执行路径找到,先进入服务器的docker容器,2.1JDK的路径root@69eef9ee86cf:/usr/bin#echo$JAVA_HOME/usr/local/openjdk-82.2Git的路径root@69eef9ee86cf:/#whichgit/usr/bin/git3、先配置JDK和Git。点击:ManageJenkins>>GlobalToolCon
深度学习部署:Windows安装pycocotools报错解决方法1.pycocotools库的简介2.pycocotools安装的坑3.解决办法更多Ai资讯:公主号AiCharm本系列是作者在跑一些深度学习实例时,遇到的各种各样的问题及解决办法,希望能够帮助到大家。ERROR:Commanderroredoutwithexitstatus1:'D:\Anaconda3\python.exe'-u-c'importsys,setuptools,tokenize;sys.argv[0]='"'"'C:\\Users\\46653\\AppData\\Local\\Temp\\pip-instal
ES一、简介1、ElasticStackES技术栈:ElasticSearch:存数据+搜索;QL;Kibana:Web可视化平台,分析。LogStash:日志收集,Log4j:产生日志;log.info(xxx)。。。。使用场景:metrics:指标监控…2、基本概念Index(索引)动词:保存(插入)名词:类似MySQL数据库,给数据Type(类型)已废弃,以前类似MySQL的表现在用索引对数据分类Document(文档)真正要保存的一个JSON数据{name:"tcx"}二、入门实战{"name":"DESKTOP-1TSVGKG","cluster_name":"elasticsear
路由有如下代码:resources:orders,only:[:create],defaults:{format:'json'}resources:users,only:[:create,:update],defaults:{format:'json'}resources:delivery_types,only:[:index],defaults:{format:'json'}resources:time_corrections,only:[:index],defaults:{format:'json'}是否可以使用1个字符串为所有资源设置默认格式,每行不带“默认值”散列?谢谢。