Elasticsearch集群证书加密

Elasticsearch集群证书加密

艾瑞斯胡 85 2022-10-14

一、创建自签名证书

1)创建目录

mkdir -p /home/ws/docker/elastic/search
cd /home/ws/docker/elastic/search
mkdir -p config/certs config/container

2)创建四个文件

cd config/container
环境变量文件 .env
ELASTICSEARCH_IMAGE_VERSION=7.17.6
COMPOSE_PROJECT_NAME=es
CERTS_DIR=/usr/share/elasticsearch/config/certificates
ELASTIC_PASSWORD=Study123
实例证书配置文件 instances.yml
instances:
  - name: es.home.cloud
    dns:
      - es01
      - localhost
      - 192.168.3.26
    ip:
      - 192.168.3.26
      - 172.18.37.2
  - name: es02.home.cloud
    dns:
      - es02
      - localhost
    ip:
      - 172.18.37.3
  - name: es03.home.cloud
    dns:
      - es03
      - localhost
    ip:
      - 172.18.37.4
创建证书的运行文件 create-certs.yml
version: '2.2'

services:
  create_certs:
    container_name: create_certs
    image: elasticsearch:$ELASTICSEARCH_IMAGE_VERSION
    command: >
      bash -c '
        if [[ ! -f /certs/bundle.zip ]]; then
          bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip;
          unzip /certs/bundle.zip -d /certs;
        fi;
        chown -R 1000:0 /certs
      '
    user: "0"
    working_dir: /usr/share/elasticsearch
    volumes:
      - ../certs:/certs
      - .:/usr/share/elasticsearch/config/certificates
    networks:
      - es-net

networks:
  es-net:
    name: esnet
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.18.37.0/24
          gateway: 172.18.37.1
创建运行脚本文件 make-certs.sh
touch make-certs.sh
chmod a+x make-certs.sh
vim make-certs.sh
#!/bin/sh

docker-compose -f ./create-certs.yml run --rm create_certs

3)生成证书文件

./make-certs.sh
image-20221014103106120

二、本地安装证书

1)下载证书

使用XFTP 7 将服务器上的证书下载到本地磁盘

image-20221014103656959

2)安装证书


# 分布式 # elasticsearch # 证书创建