Elasticsearch(十)| Docker证书部署
使用Docker部署Elasticsearch,并配置证书,使用https访问。
在一个新的空目录中,创建以下四个文件:
- instances.yml
- .env
- create-certs.yml
- docker-compose.yml
instances.yml
instances:
- name: es01
dns:
- es01
- localhost
ip:
- 127.0.0.1.env
COMPOSE_PROJECT_NAME=es
CERTS_DIR=/usr/share/elasticsearch/config/certificates
ELASTIC_PASSWORD=你的密码create-certs.yml
services:
create_certs:
container_name: create_certs
image: elasticsearch:7.17.22
command: >
bash -c '
if [[ ! -f /certs/bundle.zip ]]; then
bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip;
unzip /certs/bundle.zip -d /certs;
fi;
chown -R 1000:0 /certs
'
user: "0"
working_dir: /usr/share/elasticsearch
volumes: ['certs:/certs', '.:/usr/share/elasticsearch/config/certificates']
volumes: {"certs"}docker-compose.yml
services:
es01:
container_name: es01
image: elasticsearch:7.17.22
environment:
- LANG=C.UTF-8
- LC_ALL=C.UTF-8
- node.name=es01
- discovery.seed_hosts=es01,es02
- cluster.initial_master_nodes=es01,es02
- ELASTIC_PASSWORD=$ELASTIC_PASSWORD
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- xpack.license.self_generated.type=trial
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key
- xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
- xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt
- xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key
volumes: ['data01:/var/lib/elasticsearch/data', 'certs:$CERTS_DIR']
ports:
- 9200:9200
healthcheck:
test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
interval: 30s
timeout: 10s
retries: 5
wait_until_ready:
image: docker.elastic.co/elasticsearch/elasticsearch:7.17.22
command: /usr/bin/true
depends_on: {"es01": {"condition": "service_healthy"}}
volumes: {"data01", "certs"}执行命令
生成证书(只需要一次):
docker compose -f create-certs.yml run --rm create_certs启动为SSL/TLS配置的Elasticsearch节点:
docker compose up -d通过证书,输入密码即可访问
curl --cacert /tmp/ca.crt -u elastic https://localhost:92000
