Let's create an encryption key and add a secret into a namespace in Kubernetes.
#!/bin/bash
IMAGE="docker.elastic.co/kibana/kibana:<version you want>"
encryptionkey=$(sudo docker run --rm ${IMAGE} /bin/sh -c "< /dev/urandom tr -dc _A-Za-z0-9 | head -c50") && \
kubectl create secret generic kibana --from-literal=encryptionkey=$encryptionkey -n <your namespace>
result:
And below is the process to create a certificate and mount the secret, line by line.
[command] openssl genrsa -out elastic-private.key 2048
result: Generating RSA private key, 2048 bit long modulus..
[command] openssl req -new -key elastic-private.key -out elastic-csr.pem
result: You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
Country Name (2 letter code) [XX]:KR
State or Province Name (full name) []:Seoul
Locality Name (eg, city) [Default City]:?-gu
Organization Name (eg, company) [Default Company Ltd]:Your Company Co Ltd
Organizational Unit Name (eg, section) []:BlahBlah Server
Common Name (eg, your name or your server's hostname) []:full.domain.name
Email Address []:xxx@xxxxx.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:What You Want Co., Ltd.
[command] openssl x509 -req -in elastic-csr.pem -signkey elastic-private.key -out elastic-certificate.pem
result: Signature ok
subject=/C=KR/ST=Seoul/L=?-gu/O=\xC3\xA3Your Company Co Ltd/OU=? Server/CN=your.domain.name/emailAddress=xxxx@xxxx.com
Getting Private key
[command] kubectl create secret generic elastic-certificate-test --from-file=elastic-private.key --from-file=elastic-certificate.pem -n <your namespace>
result: secret/elastic-certificate-test created
A mount example of yaml file:
apiVersion: apps/v1
kind: Deployment
metadata:
name: kibana
spec:
replicas: 1
template:
spec:
containers:
- name: kibana
image: kibana:7.10.1
env:
- name: ELASTICSEARCH_URL
value: http://elasticsearch:9200
- name: ELASTICSEARCH_HOSTS
value: http://elasticsearch:9200
- name: SERVER_SSL_ENABLED
value: "true"
- name: SERVER_SSL_CERTIFICATE
value: /usr/share/kibana/config/certs/elastic-certificate.pem
- name: SERVER_SSL_KEY
value: /usr/share/kibana/config/certs/elastic-private.key
volumeMounts:
- name: certificates
mountPath: /usr/share/kibana/config/certs
readOnly: true
volumes:
- name: certificates
secret:
secretName: elastic-certificate-test
'aws > k8s, eks study' 카테고리의 다른 글
| how to modify sysctl.conf which appeared as read-only in the pod (0) | 2023.03.28 |
|---|---|
| Deployment vs. StatefulSet kind field in yaml file for kubernetes (0) | 2023.03.27 |
| EKS PV issues (0) | 2023.03.17 |
| EKS CNI issue - network plugin is not ready: cni config uninitialized (2) | 2023.03.15 |
| Adding rules (metric) on Prometheus config (2) | 2023.03.07 |