...
instances.ymlidentifies the instances you need to create certificates for;.envsets environment variables to specify the ElasticSearch version and the location where the ElasticSearch certificates will be created;create-certs.ymlis a Docker-compose file that launches a container to generate the certificates for ESK;elastic-docker-tls.ymlis a Docker-compose file that brings up a ESK instance with Transport Layer Security (TLS) enabled.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
instances:
- name: es01
dns:
- es01
- localhost
ip:
- 127.0.0.1
- name: kib01
dns:
- kib01
- localhost |
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
COMPOSE_PROJECT_NAME=es
CERTS_DIR=/usr/share/elasticsearch/config/certificates
VERSION=7.16.1 |
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
version: '2.2'
services:
create_certs:
image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
container_name: create_certs
command: >
bash -c '
yum install -y -q -e 0 unzip;
if [[ ! -f /certs/bundle.zip ]]; then
bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip;
unzip /certs/bundle.zip -d /certs;
fi;
chown -R 1000:0 /certs
'
working_dir: /usr/share/elasticsearch
volumes:
- certs:/certs
- .:/usr/share/elasticsearch/config/certificates
networks:
- elastic
volumes:
certs:
driver: local
networks:
elastic:
driver: bridge |
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
version: '2.2' services: es01: image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION} container_name: es01 environment: - node.name=es01 - cluster.name=es-docker-cluster - discovery.type=single-node - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - xpack.license.self_generated.type=trial # Generate and apply a trial license that supports TLS - xpack.security.enabled=true - xpack.security.http.ssl.enabled=true # Enable TLS to encrypt client communications - xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt - xpack.security.transport.ssl.enabled=true # Enable TLS to encrypt internode communications - xpack.security.transport.ssl.verification_mode=certificate # Allow the use of self-signed certificates by not requiring hostname verification - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key ulimits: memlock: soft: -1 hard: -1 volumes: - data01:/usr/share/elasticsearch/data - certs:$CERTS_DIR ports: - 9200:9200 networks: - elastic healthcheck: test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi interval: 30s timeout: 10s retries: 5 kib01: image: docker.elastic.co/kibana/kibana:${VERSION} container_name: kib01 depends_on: {"es01": {"condition": "service_healthy"}} ports: - 5601:5601 environment: SERVERNAME: localhost ELASTICSEARCH_URL: https://es01:9200 ELASTICSEARCH_HOSTS: https://es01:9200 ELASTICSEARCH_USERNAME: kibana_system ELASTICSEARCH_PASSWORD: D37fklQ2JYkrKGmxaVNN ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: $CERTS_DIR/ca/ca.crt SERVER_SSL_ENABLED: "true" SERVER_SSL_KEY: $CERTS_DIR/kib01/kib01.key SERVER_SSL_CERTIFICATE: $CERTS_DIR/kib01/kib01.crt volumes: - certs:$CERTS_DIR networks: - elastic volumes: data01: driver: local certs: driver: local networks: elastic: driver: bridge |