반응형

 

helm chart harbor upload이다

harbor내에 프로젝트 생성 후 진행

helm registry login harbor.wky.kr --insecure
# Input id/password

# harbor에 chart 라는 프로젝트 생성했음
helm push <helm-chart-name>.tgz oci://harbor.wky.kr/chart --plain-http
반응형
반응형

 

OpenSearch Operator Coordinator 설정 방법

 

만약 아래 글을 통해 인증서를 생성했으면, subjectAltName 수정으로 인해 인증서 또한 수정해야한다.

2024.11.28 - [Develop/k8s] - OpenSearch Operator Certificate 설정

# root ca 생성
openssl genrsa -out root-ca-key.pem 2048
openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/CN=opensearch" -out root-ca.pem -days 3650

# OpenSearch Operator가 OpenSearch Cluster를 관리하는 관리자 인증서
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
openssl req -new -key admin-key.pem -subj "/CN=opensearch-admin" -out admin.csr
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 3650

# Node간 DNS 통신을 위해 subjectAltName 생성
echo 'subjectAltName=DNS:opensearch-cluster-masters,DNS:opensearch-cluster-masters.opensearch,DNS:opensearch-cluster-masters.opensearch.svc,DNS:opensearch-cluster-masters.opensearch.svc.cluster.local,DNS:opensearch-cluster-coordinator,DNS:opensearch-cluster-coordinator.opensearch.svc.cluster.local,DNS:opensearch-cluster-coordinator.logging,DNS:opensearch-cluster-coordinator.logging.svc' > san.ext

# OpenSearch Node간 인증서
openssl genrsa -out node-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem
openssl req -new -key node-key.pem -subj "/CN=opensearch-cluster-*" -out node.csr
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem -days 3650 -extfile san.ext

# OpenSearch yaml에 등록할 인증서 파일들 secret으로 생성
kubectl create secret generic opensearch-cert-admin --from-file=ca.crt=root-ca.pem --from-file=tls.crt=admin.pem --from-file=tls.key=admin-key.pem -n opensearch
kubectl create secret generic opensearch-cert-node --from-file=ca.crt=root-ca.pem --from-file=tls.crt=node.pem --from-file=tls.key=node-key.pem -n opensearch

 

OpenSearchCluster yaml 파일 수정

Dashboard가 coordinator 를 보도록 수정하였고 Coordinator를 설정하였다

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: opensearch-cluster
  namespace: opensearch
spec:
  security:
    config:
      adminSecret:
        name: opensearch-cert-admin
    tls:
       http:
         generate: false
         secret:
           name: opensearch-cert-node
       transport:
         generate: false
         perNode: false
         secret:
           name: opensearch-cert-node
         nodesDn: ["CN=opensearch-cluster-*"]
         adminDn: ["CN=opensearch-admin"]
  general:
    httpPort: 9200
    serviceName: my-first-cluster
    version: 2.19.0
    pluginsList: ["repository-s3"]
    drainDataNodes: true
  dashboards:
    addtionalConfig: ## hosts 를 coordinator 로 변경
      opensearch.hosts: '["http://opensearch-cluster-coordinator.logging.svc.cluster.local:9200"]'
    tls:
      enable: true
      generate: false
      secret:
        name: opensearch-cert-node
    version: 2.19.0
    enable: true
    replicas: 1
    resources:
      requests:
         memory: "512Mi"
         cpu: "200m"
      limits:
         memory: "512Mi"
         cpu: "200m"
  nodePools:
    - component: masters
      replicas: 3
      resources:
         requests:
            memory: "4Gi"
            cpu: "1000m"
         limits:
            memory: "4Gi"
            cpu: "1000m"
      roles:
        - "data"
        - "cluster_manager"
      persistence:
         emptyDir: {}
    - component: coordinator # coordinator 추가
      replicas:1
      roles:
      - ""
      additionalConfig:
        node.master: "false"
        node.data: "false"
        node.ingest: "false"
        node.remote_cluster_client: "false"
      resources:
         requests:
            memory: "2Gi"
            cpu: "1000m"
         limits:
            memory: "2Gi"
            cpu: "1000m"
      persistence:
         emptyDir: {}

 

 

참고로 Opensearch에서 제공하는 ingest기능을 사용하기 위해서는 ingest node를 생성해야한다.

반응형
반응형

 

Fluent-Bit 을 k8s DaemonSet 으로 실행할 경우 서버 내의 journal 폴더가 /var/log/journal 로 되어있을 경우

마운트 설정이 필요없지만, 아닐 경우 DaemonSet 에 마운트해야한다.

journal이 위치한 경로를 찾아 설정한다.

 

DaemonSet 수정

kubectl edit ds -n fluent-bit -n fluent
...
	spec:
      containers:
      - args:
        -
        ...
        command:
        ...
        volumeMounts:
        - mountPath: /run/log/journal  ## 추가
          name: systemd-log 		   ## 추가
          readOnly: true			   ## 추가
      dnsPolicy:
      restartPolicy:
      ...
      toleration:
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
      volumes:					
      - hostPath:				  ## 추가
          path: /run/log/journal  ## 추가
        name: systemd-log         ## 추가

 

 

수정 후 ConfigMap 수정

kubectl edit cm fluent-bit -n fluent
[INPUT]
    Name systemd
    Path /run/log/journal
    Tag systemd.*
    Systemd_Filter _SYSTEM_UNIT=kubelet.service
    Systemd_Filter _SYSTEM_UNIT=containerd.service
    Read_From_tail On
    
 ## 아래는 없어도 됨
 [FILTER]
     Name record_modifier
     Match systemd.*
     Record kubernetes systemd

 

반응형

+ Recent posts