From 5d8a09916b4ed38e4a4cba4a18f50648a51f63bc Mon Sep 17 00:00:00 2001 From: Thibault Richard Date: Mon, 1 Jul 2019 23:12:12 +0200 Subject: [PATCH 1/2] Init Elastisearch spec asciidoc - Draft intro - Node configuration - HTTP settings & TLS SANs - Custom HTTP certificate --- docs/elasticsearch-spec.asciidoc | 103 +++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 docs/elasticsearch-spec.asciidoc diff --git a/docs/elasticsearch-spec.asciidoc b/docs/elasticsearch-spec.asciidoc new file mode 100644 index 0000000000..5b350b3495 --- /dev/null +++ b/docs/elasticsearch-spec.asciidoc @@ -0,0 +1,103 @@ +[id="{p}-elasticsearch-specification"] +== Elasticsearch Specification + +There are a number of settings which need to be considered before going into production related to Elasticsearch but also to Kubernetes. + +Basic settings + +- JVM heap size +- Node configuration +- HTTP settings & TLS SANs +- Resource limits +- Pod Template +- Volume claim templates + +Advanced settings + +- Virtual memory +- Custom HTTP certificate +- Secure settings +- Custom plugins and bundles +- Init containers for plugin downloads +- Pod disruption budget +- Change budget (maxUnavailable, maxSurge) + +[id="{p}-node-configuration"] +=== Node configuration + +Any setting that can be configured in the `elasticsearch.yml` configuration file can be defined for each topology of nodes in the `spec.nodes[?].config` section. + +[source,yaml] +---- +kind: Elasticsearch +spec: + nodes: + - nodeCount: 3 + config: + node.master: true + node.data: false + node.ingest: false + node.ml: false + xpack.ml.enabled: true + cluster.remote.connect: false + - nodeCount: 10 + config: + node.master: false + node.data: true + node.ingest: true + node.ml: true + cluster.remote.connect: false +---- + +For more information on Elasticsearch settings, see https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html[Configuring Elasticsearch]. + +[id="{p}-http-settings-tls-sans"] +=== HTTP settings & TLS SANs + +You can change the type of the Kubernetes service used to expose Elasticsearch in https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types[different ways] in the `spec.http.service.spec` section. + +[source,yaml] +---- +spec: + http: + service: + spec: + type: LoadBalancer +---- + +You can add an IP or a DNS name in the SAN of the self-signed certificate configured by default to secure the HTTP layer with TLS in the `spec.http.tls.selfSignedCertificate` section. + +[source,yaml] +---- +spec: + http: + tls: + selfSignedCertificate: + subjectAltNames: + - ip: 1.2.3.4 + - dns: hulk.example.com +---- + +[id="{p}-custom-http-certificate"] +=== Custom HTTP certificate + +You can provide your own CA and certificates instead of the self-signed certificate to connect to Elasticsearch via HTTPS using a Kubernetes secret. + +You need to reference the name of a secret that contains a TLS private key and a certificate (or a chain), in the `spec.http.tls.certificate` section. + +[source,yaml] +---- +spec: + http: + tls: + certificate: + secretName: my-cert +---- + +Example to create a Kubernetes TLS secret with a self-signed certificate: + +[source,sh] +---- +$ openssl req -x509 -newkey rsa:4096 -keyout tls.key -out tls.crt -days 365 -nodes +$ kubectl create secret tls my-cert --cert tls.crt --key tls.key +---- From 960429b54af483ad315a51c157507b14fa462222 Mon Sep 17 00:00:00 2001 From: Thibault Richard Date: Wed, 3 Jul 2019 09:43:16 +0200 Subject: [PATCH 2/2] Remove kind from the yaml manifest snippet --- docs/elasticsearch-spec.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/elasticsearch-spec.asciidoc b/docs/elasticsearch-spec.asciidoc index 5b350b3495..7b1c435c33 100644 --- a/docs/elasticsearch-spec.asciidoc +++ b/docs/elasticsearch-spec.asciidoc @@ -29,7 +29,6 @@ Any setting that can be configured in the `elasticsearch.yml` configuration file [source,yaml] ---- -kind: Elasticsearch spec: nodes: - nodeCount: 3