Demo of Opensearch deployment in k8s with cert manager and self-signed ca certificate
- Deployment of Cert Manager in k8s
- Deployment of Ingress Controller and Resource
- Creation of self signed CA using cert manager
- Creation of cert manager certificates signed by selfsigned CA
- Deployment of Opensearch/Dashboards using helm
- Generation of certificates using Let's Encrypt
- Deployment of Opensearch/Dashboards with Let's Encryt certificates
- EKS Cluster
- Route53
- Cert-Manager
- ingress-nginx
- helm
eksctl create cluster \
--name test-cluster \
--region eu-west-1 \
--nodegroup-name linux-nodes \
--node-type t2.medium \
--nodes 3
N.B. Command to delete cluster (Note the PV remains on AWS and will accumulate charges if not deleted)
- eksctl delete cluster --name test-cluster
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.7.0 --set installCRDs=true
helm install ing ingress-nginx/ingress-nginx \
--namespace ingress \
--version 4.0.1 \
--values ingress_controller.yaml \
--create-namespace
After a couple of seconds below command should display External address in a form of domain, update your route53 records accordingly (with Type A record)
kubectl get svc -n ingress
kubectl apply -f ingress.yaml
kubectl get ing
kubectl apply -f example-1
kubectl get secret -n cert-manager
kubectl get secret ca-key-pair -o yaml -n cert-manager
kubectl apply -f example-2
kubectl get secret
kubectl get secret tls-for-dashboards-key-pair -o yaml
cd charts/opensearch
helm package .
helm install --values=values.yaml opensearch opensearch-1.7.1.tgz
kubectl get pod
cd ../opensearch-dashboards/
helm package .
helm install --values=values.yaml dashboards opensearch-dashboards-1.2.0.tgz
Make sure the logs indicate that the service is running on https://0.0.0.0:5601
kubectl logs dashboards-opensearch-dashboards
Now connect to your domain in browser (Recommend to use Firefox as the certificates are not trusted by browser, as they are signed by self-signed CA unknown to browser)
test-domain.co.uk
First clear up any certificates and secrets created from previous steps:
helm delete dashboards
helm delete opensearch
kubectl delete -f example-2
kubectl delete -f example-1
Delete any secrets, so that only below is left:
kubectl get secret
NAME TYPE DATA AGE
default-token-sdzvh kubernetes.io/service-account-token 3 11m
Apply the new clusterIssuer and certificates files together with additional secrets needed by Opensearch Dashboards
kubectl apply -f lets_encrypt/.
Perform steps 6 and 7, however this time using new charts located in lets_encrypt/charts directory.
Notice the differences with tls.crt file in opensearch config and initContainer in Opensearch Dashboards config.