ELK学习笔记（二）——使用K8S部署Kibana8.15.0

上篇文章我们完成了，ES的集群部署，如果还没有看过上篇文章的兄弟，可以去看看。
ELK学习笔记（一）——使用K8S部署ElasticSearch8.15.0集群
话不多说，接下来直接进入kibana的搭建

一、下载镜像

#1、下载官方镜像
docker pull kibana:8.15.0
#2、打新tag
docker tag kibana:8.15.0 192.168.9.41:8088/new-erp-common/kibana:8.15.0
#3、推送到私有仓库harbor
docker push 192.168.9.41:8088/new-erp-common/kibana:8.15.0

二、创建工作目录

mkdir -p /home/ec2-user/k8s/elk/kibana

kibana的yaml文件目录：/home/ec2-user/k8s/elk/kibana

kibana的安全证书文件目录：/home/ec2-user/k8s/elk/kibana/certs

三、准备yaml配置文件

3.1重置密码（密码忘记时可选）

当es集群搭建好之后，用kubectl exec -it 进去到任一es容器内部，运行下方命令重置elastic账号 与 kibana-system(kibana专用)账号的密码

$ kubectl get pod -n renpho-erp-common|grep elastic
elasticsearch-0                       1/1     Running   0          3d21h
elasticsearch-1                       1/1     Running   0          3d21h
elasticsearch-2                       1/1     Running   0          3d21h# ec2-user @ k8s-master in ~/k8s/elk/kibana [4:14:42] 
$ kubectl exec -it elasticsearch-0 -n renpho-erp-common -- /bin/sh
sh-5.0$ pwd
/usr/share/elasticsearch
#重置elasticsearch密码
sh-5.0$ ./bin/elasticsearch-reset-password -u elastic
This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]yPassword for the [elastic] user successfully reset.
New value: sJdEWgos4+O3Ay*lgt
#重置kibana密码
sh-5.0$ ./bin/elasticsearch-reset-password -u kibana_system
This tool will reset the password of the [kibana] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]yPassword for the [kibana_system] user successfully reset.
New value: fo*6-ggA59Fk*CYQG4Df

记住此密码，下面kibana.yml中需要用到。或者使用./bin/elasticsearch-reset-password -u kibana_system -i自定义密码

修改密码时可能会遇到权限问题，比如执行./bin/elasticsearch-reset-password -u elastic时，出现

sh-5.0$ ./bin/elasticsearch-reset-password -u elastic
WARNING: Owner of file [/usr/share/elasticsearch/config/users] used to be [root], but now is [elasticsearch]
WARNING: Owner of file [/usr/share/elasticsearch/config/users_roles] used to be [root], but now is [elasticsearch]

This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]

ERROR: User cancelled operation, with exit code 0

3.2准备ConfigMap配置

创建ConfigMap配置，里面主要配置了kibana.yml需要的配置

• server.publicBaseUrl、server.host
  可以根据自己的需要填写，我习惯都是挂个域名然后通过内网配个hosts来访问
• elasticsearch.hosts 配置kibana访问ES集群的地址，这里用的就是ES service的访问地址
• elasticsearch.password 是我们之前设定的kibana_system账号的密码

$ cat config-map-kibana.yaml 
apiVersion: v1
kind: ConfigMap #配置信息
metadata:name: config-map-kibana #kibana配置namespace: renpho-erp-common
data:kibana.yml: |#服务器端口#server.publicBaseUrl:server.port: 5601server.host: "0.0.0.0"server.shutdownTimeout: "5s"monitoring.ui.container.elasticsearch.enabled: trueelasticsearch.hosts: [ "https://elasticsearch.renpho-erp-common.svc.cluster.local:9200" ]#让 Kibana 连接到 Elasticsearch 时不验证 SSL 证书的有效性elasticsearch.ssl.verificationMode: noneelasticsearch.ssl.certificateAuthorities: [ "/usr/share/kibana/config/local-certs/elasticsearch-ca.pem" ]server.ssl.enabled: trueserver.ssl.certificate: /usr/share/kibana/config/local-certs/kibana.crtserver.ssl.key: /usr/share/kibana/config/local-certs/kibana.key#访问es服务器账号密码，可以进到es pod中执行./bin/elasticsearch-reset-password -u kibana_system重置密码elasticsearch.username: "kibana_system"elasticsearch.password: "fo*6-ggA59Fk*CYQG4Df"# =================== System: Logging ===================logging.root.level: info# Example with size based log rotationlogging.appenders.default:type: rolling-filefileName: /usr/share/kibana/logs/kibana.logpolicy:type: time-intervalstrategy:type: numericpattern: '-%i'max: 10layout:type: json# Specifies locale to be used for all localizable strings, dates and number formats.# Supported languages are the following: English (default) "en", Chinese "zh-CN", Japanese "ja-JP", French "fr-FR".i18n.locale: "zh-CN"

3.3准备Service及StatefulSet文件

$ cat deploy-kibana2.yaml 
apiVersion: v1
kind: Service
metadata:name: kibananamespace: renpho-erp-common
spec:ports:- port: 5601protocol: TCPtargetPort: 5601nodePort: 30091type: NodePortselector:app: kibana
---
apiVersion: apps/v1
kind: StatefulSet
metadata:name: kibananamespace: renpho-erp-commonlabels:app: kibana
spec:replicas: 1selector:matchLabels:app: kibanatemplate:metadata:labels:app: kibanaspec:containers:- name: kibanaimage: renpho.harbor.com/new-erp-common/kibana:8.15.0imagePullPolicy: IfNotPresentresources:limits:cpu: 1memory: 2Grequests:cpu: 0.5memory: 500Miports:- containerPort: 5601protocol: TCPvolumeMounts:- name: kibana-volumemountPath: /usr/share/kibana/datasubPath: kibana-data- name: kibana-volumemountPath: /usr/share/kibana/logssubPath: kibana-logs- name: kibana-cert-file  #挂载ssl证书目录mountPath: /usr/share/kibana/config/local-certs- name: kibana-config  #挂载配置文件mountPath: /usr/share/kibana/config/kibana.ymlsubPath: kibana.yml- name: host-time  #挂载本地时区mountPath: /etc/localtimereadOnly: truevolumes:- name: kibana-configconfigMap:name: config-map-kibanadefaultMode: 493 #文件权限为-rwxr-xr-x- name: kibana-cert-filesecret:secretName: kibana-certificates- name: host-timehostPath: #挂载本地时区path: /etc/localtimetype: ""volumeClaimTemplates:- metadata:name: kibana-volumespec:storageClassName: ssd-nfs-storageaccessModes: [ "ReadWriteMany" ]resources:requests:storage: 20Gi

四、开始用K8S部署Kibana

首先，看下kibana目录下的文件

4.1将安全证书添加到Secret中

kubectl create secret generic kibana-certificates  --from-file=/home/ec2-user/k8s/elk/kibana/certs/elasticsearch-ca.pem  --from-file=/home/ec2-user/k8s/elk/kibana/certs/kibana.crt  --from-file=/home/ec2-user/k8s/elk/kibana/certs/kibana.csr --from-file=/home/ec2-user/k8s/elk/kibana/certs/kibana.key -n renpho-erp-common

4.2运行Kibana

依次执行下列命令

#ES配置文件创建
kubectl apply -f config-map-kibana.yaml
#ES Service，StatefulSet创建
kubectl apply -f delpoy-kibana2.yaml
#查看运行状态
kubectl get pod -n renpho-erp-common|grep kibana

浏览器访问下面地址：https://renpho.master.com:30091/login，这时候需要输入elastic的账号登录进去
你也可以使用ip访问，例如https://192.168.6.220:30091/login。我这里是将192.168.6.220做了个伪域名renpho.master.com

登录进去后，通过kibana dev-tool一样可以查看ES集群状态

到此，使用K8s部署Kibana成功！