OpenSearch Operator Coordinator 설정 방법
만약 아래 글을 통해 인증서를 생성했으면, subjectAltName 수정으로 인해 인증서 또한 수정해야한다.
2024.11.28 - [Develop/k8s] - OpenSearch Operator Certificate 설정
# root ca 생성
openssl genrsa -out root-ca-key.pem 2048
openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/CN=opensearch" -out root-ca.pem -days 3650
# OpenSearch Operator가 OpenSearch Cluster를 관리하는 관리자 인증서
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
openssl req -new -key admin-key.pem -subj "/CN=opensearch-admin" -out admin.csr
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 3650
# Node간 DNS 통신을 위해 subjectAltName 생성
echo 'subjectAltName=DNS:opensearch-cluster-masters,DNS:opensearch-cluster-masters.opensearch,DNS:opensearch-cluster-masters.opensearch.svc,DNS:opensearch-cluster-masters.opensearch.svc.cluster.local,DNS:opensearch-cluster-coordinator,DNS:opensearch-cluster-coordinator.opensearch.svc.cluster.local,DNS:opensearch-cluster-coordinator.logging,DNS:opensearch-cluster-coordinator.logging.svc' > san.ext
# OpenSearch Node간 인증서
openssl genrsa -out node-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem
openssl req -new -key node-key.pem -subj "/CN=opensearch-cluster-*" -out node.csr
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem -days 3650 -extfile san.ext
# OpenSearch yaml에 등록할 인증서 파일들 secret으로 생성
kubectl create secret generic opensearch-cert-admin --from-file=ca.crt=root-ca.pem --from-file=tls.crt=admin.pem --from-file=tls.key=admin-key.pem -n opensearch
kubectl create secret generic opensearch-cert-node --from-file=ca.crt=root-ca.pem --from-file=tls.crt=node.pem --from-file=tls.key=node-key.pem -n opensearch
OpenSearchCluster yaml 파일 수정
Dashboard가 coordinator 를 보도록 수정하였고 Coordinator를 설정하였다
apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
name: opensearch-cluster
namespace: opensearch
spec:
security:
config:
adminSecret:
name: opensearch-cert-admin
tls:
http:
generate: false
secret:
name: opensearch-cert-node
transport:
generate: false
perNode: false
secret:
name: opensearch-cert-node
nodesDn: ["CN=opensearch-cluster-*"]
adminDn: ["CN=opensearch-admin"]
general:
httpPort: 9200
serviceName: my-first-cluster
version: 2.19.0
pluginsList: ["repository-s3"]
drainDataNodes: true
dashboards:
addtionalConfig: ## hosts 를 coordinator 로 변경
opensearch.hosts: '["http://opensearch-cluster-coordinator.logging.svc.cluster.local:9200"]'
tls:
enable: true
generate: false
secret:
name: opensearch-cert-node
version: 2.19.0
enable: true
replicas: 1
resources:
requests:
memory: "512Mi"
cpu: "200m"
limits:
memory: "512Mi"
cpu: "200m"
nodePools:
- component: masters
replicas: 3
resources:
requests:
memory: "4Gi"
cpu: "1000m"
limits:
memory: "4Gi"
cpu: "1000m"
roles:
- "data"
- "cluster_manager"
persistence:
emptyDir: {}
- component: coordinator # coordinator 추가
replicas:1
roles:
- ""
additionalConfig:
node.master: "false"
node.data: "false"
node.ingest: "false"
node.remote_cluster_client: "false"
resources:
requests:
memory: "2Gi"
cpu: "1000m"
limits:
memory: "2Gi"
cpu: "1000m"
persistence:
emptyDir: {}
참고로 Opensearch에서 제공하는 ingest기능을 사용하기 위해서는 ingest node를 생성해야한다.
'Develop > k8s' 카테고리의 다른 글
Fluent-Bit Systemd Logging (0) | 2025.02.18 |
---|---|
k8s Audit Policy (k8s 감사 정책) (0) | 2024.12.21 |
k8s ServiceAccount Token Refresh (0) | 2024.12.17 |
opensearch operator read only mode (0) | 2024.12.02 |
인증서 방식 계정 생성 (Certificates and Certificate Signing Requests) (0) | 2024.11.29 |