Create encryptionkey, certificate and add a secret with it for Kibana

Let's create an encryption key and add a secret into a namespace in Kubernetes.

#!/bin/bash

IMAGE="docker.elastic.co/kibana/kibana:<version you want>"

encryptionkey=$(sudo docker run --rm ${IMAGE} /bin/sh -c "< /dev/urandom tr -dc _A-Za-z0-9 | head -c50") && \

kubectl create secret generic kibana --from-literal=encryptionkey=$encryptionkey -n <your namespace>

 

result:

 

And below is the process to create a certificate and mount the secret, line by line.

 

[command] openssl genrsa -out elastic-private.key 2048
result: Generating RSA private key, 2048 bit long modulus..

[command] openssl req -new -key elastic-private.key -out elastic-csr.pem
result: You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
Country Name (2 letter code) [XX]:KR
State or Province Name (full name) []:Seoul
Locality Name (eg, city) [Default City]:?-gu
Organization Name (eg, company) [Default Company Ltd]:Your Company Co Ltd
Organizational Unit Name (eg, section) []:BlahBlah Server
Common Name (eg, your name or your server's hostname) []:full.domain.name
Email Address []:xxx@xxxxx.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test
An optional company name []:What You Want Co., Ltd.

[command] openssl x509 -req -in elastic-csr.pem -signkey elastic-private.key -out elastic-certificate.pem
result: Signature ok
subject=/C=KR/ST=Seoul/L=?-gu/O=\xC3\xA3Your Company Co Ltd/OU=? Server/CN=your.domain.name/emailAddress=xxxx@xxxx.com
Getting Private key

[command] kubectl create secret generic elastic-certificate-test --from-file=elastic-private.key --from-file=elastic-certificate.pem -n <your namespace>
result: secret/elastic-certificate-test created

 

A mount example of yaml file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kibana
spec:
  replicas: 1
  template:
    spec:
      containers:
      - name: kibana
        image: kibana:7.10.1
        env:
        - name: ELASTICSEARCH_URL
          value: http://elasticsearch:9200
        - name: ELASTICSEARCH_HOSTS
          value: http://elasticsearch:9200
        - name: SERVER_SSL_ENABLED
          value: "true"
        - name: SERVER_SSL_CERTIFICATE
          value: /usr/share/kibana/config/certs/elastic-certificate.pem
        - name: SERVER_SSL_KEY
          value: /usr/share/kibana/config/certs/elastic-private.key
        volumeMounts:
        - name: certificates
          mountPath: /usr/share/kibana/config/certs
          readOnly: true
      volumes:
      - name: certificates
        secret:
          secretName: elastic-certificate-test