rapps/elastic-8.1.2.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: elasticsearch-init-script
  namespace: logging 
data:
  setup_certs.sh: |
   #!/bin/bash
   ELASTIC_HOME=/usr/share/elasticsearch
   # If the ca directory already exists, delete it
   if [ -d /certs-dir/ca ]; then
        rm -rf /certs-dir/ca 
   fi
   # If the elasticsearch directory already exists, delete it
   if [ -d /certs-dir/elasticsearch ]; then
        rm -rf /certs-dir/elasticsearch
   fi
   echo "Creating CA";
   $ELASTIC_HOME/bin/elasticsearch-certutil ca --silent --pem -out /certs-dir/ca.zip;
   unzip -o /certs-dir/ca.zip -d /certs-dir;
   echo "Creating certs";
   echo -ne \
   "instances:\n"\
   "  - name: elasticsearch\n"\
   "    dns:\n"\
   "      - elasticsearch\n"\
   "      - elasticsearch.logging\n"\
   "      - elasticsearch.est.tech\n"\
   "      - localhost\n"\
   "    ip:\n"\
   "      - 127.0.0.1\n"\
   "      - 192.168.49.2\n"\
   > /certs-dir/instances.yml;
   $ELASTIC_HOME/bin/elasticsearch-certutil cert --silent --pem -out /certs-dir/certs.zip --in /certs-dir/instances.yml \
   --ca-cert /certs-dir/ca/ca.crt --ca-key /certs-dir/ca/ca.key;
   unzip -o /certs-dir/certs.zip -d /certs-dir;
  
   echo "Removing zip files"  
   rm -f /certs-dir/ca.zip
   rm -f /certs-dir/certs.zip
   echo "Setting file permissions"
   chmod 750 /certs-dir/ca 
   chmod 750 /certs-dir/elasticsearch
   chmod 640 /certs-dir/ca/* 
   chmod 640 /certs-dir/elasticsearch/*
   echo "All done!"; 
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: elasticsearch-config
  namespace: logging 
data:
  elasticsearch.yml: |
   discovery.type: single-node
   cluster.name: "docker-cluster"
   network.host: 0.0.0.0
   node.name: elasticsearch 
   ingest.geoip.downloader.enabled: false
   xpack.license.self_generated.type: basic
   xpack.security.enabled: true
   xpack.security.http.ssl.enabled: true
   xpack.security.http.ssl.key: certs/elasticsearch/elasticsearch.key
   xpack.security.http.ssl.certificate: certs/elasticsearch/elasticsearch.crt
   xpack.security.http.ssl.certificate_authorities: certs/ca/ca.crt
   xpack.security.http.ssl.verification_mode: certificate
   xpack.security.transport.ssl.enabled: true
   xpack.security.transport.ssl.key: certs/elasticsearch/elasticsearch.key
   xpack.security.transport.ssl.certificate: certs/elasticsearch/elasticsearch.crt
   xpack.security.transport.ssl.certificate_authorities: certs/ca/ca.crt
   xpack.security.transport.ssl.verification_mode: certificate
---
apiVersion: apps/v1 
kind: Deployment
metadata:
  name: elasticsearch
  namespace: logging
spec:
  selector:
    matchLabels:
      component: elasticsearch
  template:
    metadata:
      labels:
        component: elasticsearch
    spec:
      containers:
      - name: elasticsearch
        imagePullPolicy: IfNotPresent
        image: docker.elastic.co/elasticsearch/elasticsearch:8.1.2
        env:
        - name: ELASTIC_PASSWORD 
          value: "secret"
        ports:
        - containerPort: 9200
          name: http
          protocol: TCP 
        resources:
          limits:
            cpu: 500m
            memory: 4Gi
          requests:
            cpu: 500m
            memory: 4Gi
        volumeMounts:
        - name: elasticsearch-storage
          mountPath: /usr/share/elasticsearch/data 
          readOnly: false
        - name: elasticsearch-certs
          mountPath: /usr/share/elasticsearch/config/certs
          readOnly: true 
        - name : config
          mountPath: /usr/share/elasticsearch/config/elasticsearch.yml 
          subPath: elasticsearch.yml 
          readOnly: false
      initContainers:
      - name: init-elasticsearch
        image: docker.elastic.co/elasticsearch/elasticsearch:8.1.2
        imagePullPolicy: IfNotPresent
        command: ['/bin/bash', '-c', '/usr/share/elasticsearch/bin/setup_certs.sh']
        volumeMounts:
        - name: elasticsearch-certs
          mountPath: "/certs-dir"
        - name: elasticsearch-cert-init
          mountPath: /usr/share/elasticsearch/bin/setup_certs.sh
          subPath: setup_certs.sh
      volumes:
      - name: elasticsearch-storage
        hostPath:
          # Ensure the file directory is created.
           path: /var/elasticsearch/data 
           type: DirectoryOrCreate
      - name: elasticsearch-certs
        hostPath:
          # Ensure the file directory is created.
           path: /var/elasticsearch/config/certs 
           type: DirectoryOrCreate
      - name: config
        configMap:
          name: elasticsearch-config 
      - name: elasticsearch-cert-init
        configMap:
          name: elasticsearch-init-script
          defaultMode: 0755
---
apiVersion: v1
kind: Service
metadata:
  name: elasticsearch
  namespace: logging
  labels:
    service: elasticsearch
spec:
  type: NodePort
  selector:
    component: elasticsearch
  ports:
  - port: 9200
    targetPort: 9200
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: esgateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH
    hosts:
    - elasticsearch.est.tech
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: esvirtualservice
spec:
  hosts:
  - "elasticsearch.est.tech"
  gateways:
  - esgateway
  tls:
  - match:
    - port: 443
      sniHosts:
      - elasticsearch.est.tech
    route:
    - destination:
        host: elasticsearch.logging.svc.cluster.local
        port:
          number: 9200
---