ELK学习笔记（二）——使用K8S部署Kibana8.15.0

上篇文章我们完成了，ES的集群部署，如果还没有看过上篇文章的兄弟，可以去看看。
ELK学习笔记（一）——使用K8S部署ElasticSearch8.15.0集群
话不多说，接下来直接进入kibana的搭建

一、下载镜像

#1、下载官方镜像
docker pull kibana:8.15.0
#2、打新tag
docker tag kibana:8.15.0 192.168.9.41:8088/new-erp-common/kibana:8.15.0
#3、推送到私有仓库harbor
docker push 192.168.9.41:8088/new-erp-common/kibana:8.15.0

二、创建工作目录

mkdir -p /home/ec2-user/k8s/elk/kibana

kibana的yaml文件目录：/home/ec2-user/k8s/elk/kibana

kibana的安全证书文件目录：/home/ec2-user/k8s/elk/kibana/certs

三、准备yaml配置文件

3.1重置密码（密码忘记时可选）

当es集群搭建好之后，用kubectl exec -it 进去到任一es容器内部，运行下方命令重置elastic账号 与 kibana-system(kibana专用)账号的密码

$ kubectl get pod -n renpho-erp-common|grep elastic
elasticsearch-0                       1/1     Running   0          3d21h
elasticsearch-1                       1/1     Running   0          3d21h
elasticsearch-2                       1/1     Running   0          3d21h

# ec2-user @ k8s-master in ~/k8s/elk/kibana [4:14:42] 
$ kubectl exec -it elasticsearch-0 -n renpho-erp-common -- /bin/sh
sh-5.0$ pwd
/usr/share/elasticsearch
#重置elasticsearch密码
sh-5.0$ ./bin/elasticsearch-reset-password -u elastic
This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]y


Password for the [elastic] user successfully reset.
New value: sJdEWgos4+O3Ay*lgt
#重置kibana密码
sh-5.0$ ./bin/elasticsearch-reset-password -u kibana_system
This tool will reset the password of the [kibana] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]y


Password for the [kibana_system] user successfully reset.
New value: fo*6-ggA59Fk*CYQG4Df

记住此密码，下面kibana.yml中需要用到。或者使用./bin/elasticsearch-reset-password -u kibana_system -i自定义密码

修改密码时可能会遇到权限问题，比如执行./bin/elasticsearch-reset-password -u elastic时，出现

sh-5.0$ ./bin/elasticsearch-reset-password -u elastic
WARNING: Owner of file [/usr/share/elasticsearch/config/users] used to be [root], but now is [elasticsearch]
WARNING: Owner of file [/usr/share/elasticsearch/config/users_roles] used to be [root], but now is [elasticsearch]

This tool will reset the password of the [elastic] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]

ERROR: User cancelled operation, with exit code 0

3.2准备ConfigMap配置

创建ConfigMap配置，里面主要配置了kibana.yml需要的配置

• server.publicBaseUrl、server.host
  可以根据自己的需要填写，我习惯都是挂个域名然后通过内网配个hosts来访问
• elasticsearch.hosts 配置kibana访问ES集群的地址，这里用的就是ES service的访问地址
• elasticsearch.password 是我们之前设定的kibana_system账号的密码

$ cat config-map-kibana.yaml 
apiVersion: v1
kind: ConfigMap #配置信息
metadata:
  name: config-map-kibana #kibana配置
  namespace: renpho-erp-common
data:
  kibana.yml: |
    #服务器端口
    #server.publicBaseUrl:
    server.port: 5601
    server.host: "0.0.0.0"
    server.shutdownTimeout: "5s"
    
    monitoring.ui.container.elasticsearch.enabled: true
    elasticsearch.hosts: [ "https://elasticsearch.renpho-erp-common.svc.cluster.local:9200" ]
    
    #让 Kibana 连接到 Elasticsearch 时不验证 SSL 证书的有效性
    elasticsearch.ssl.verificationMode: none
    elasticsearch.ssl.certificateAuthorities: [ "/usr/share/kibana/config/local-certs/elasticsearch-ca.pem" ]
    
    server.ssl.enabled: true
    server.ssl.certificate: /usr/share/kibana/config/local-certs/kibana.crt
    server.ssl.key: /usr/share/kibana/config/local-certs/kibana.key

    
    #访问es服务器账号密码，可以进到es pod中执行./bin/elasticsearch-reset-password -u kibana_system重置密码
    elasticsearch.username: "kibana_system"
    elasticsearch.password: "fo*6-ggA59Fk*CYQG4Df"
    
    # =================== System: Logging ===================

    logging.root.level: info

    # Example with size based log rotation
    logging.appenders.default:
      type: rolling-file
      fileName: /usr/share/kibana/logs/kibana.log
      policy:
        type: time-interval
      strategy:
        type: numeric
        pattern: '-%i'
        max: 10
      layout:
        type: json

    # Specifies locale to be used for all localizable strings, dates and number formats.
    # Supported languages are the following: English (default) "en", Chinese "zh-CN", Japanese "ja-JP", French "fr-FR".
    i18n.locale: "zh-CN"

3.3准备Service及StatefulSet文件

$ cat deploy-kibana2.yaml 
apiVersion: v1
kind: Service
metadata:
  name: kibana
  namespace: renpho-erp-common
spec:
  ports:
  - port: 5601
    protocol: TCP
    targetPort: 5601
    nodePort: 30091
  type: NodePort
  selector:
    app: kibana
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: kibana
  namespace: renpho-erp-common
  labels:
    app: kibana
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kibana
  template:
    metadata:
      labels:
        app: kibana
    spec:
      containers:
      - name: kibana
        image: renpho.harbor.com/new-erp-common/kibana:8.15.0
        imagePullPolicy: IfNotPresent
        resources:
          limits:
            cpu: 1
            memory: 2G
          requests:
            cpu: 0.5
            memory: 500Mi
        ports:
        - containerPort: 5601
          protocol: TCP
        volumeMounts:
        - name: kibana-volume
          mountPath: /usr/share/kibana/data
          subPath: kibana-data
        - name: kibana-volume
          mountPath: /usr/share/kibana/logs
          subPath: kibana-logs
        - name: kibana-cert-file  #挂载ssl证书目录
          mountPath: /usr/share/kibana/config/local-certs
        - name: kibana-config  #挂载配置文件
          mountPath: /usr/share/kibana/config/kibana.yml
          subPath: kibana.yml
        - name: host-time  #挂载本地时区
          mountPath: /etc/localtime
          readOnly: true
      volumes:
      - name: kibana-config
        configMap:
          name: config-map-kibana
          defaultMode: 493 #文件权限为-rwxr-xr-x
      - name: kibana-cert-file
        secret:
          secretName: kibana-certificates
      - name: host-time
        hostPath: #挂载本地时区
          path: /etc/localtime
          type: ""
  volumeClaimTemplates:
  - metadata:
      name: kibana-volume
    spec:
      storageClassName: ssd-nfs-storage
      accessModes: [ "ReadWriteMany" ]
      resources:
        requests:
          storage: 20Gi

四、开始用K8S部署Kibana

首先，看下kibana目录下的文件

4.1将安全证书添加到Secret中

kubectl create secret generic kibana-certificates  --from-file=/home/ec2-user/k8s/elk/kibana/certs/elasticsearch-ca.pem  --from-file=/home/ec2-user/k8s/elk/kibana/certs/kibana.crt  --from-file=/home/ec2-user/k8s/elk/kibana/certs/kibana.csr --from-file=/home/ec2-user/k8s/elk/kibana/certs/kibana.key -n renpho-erp-common

4.2运行Kibana

依次执行下列命令

#ES配置文件创建
kubectl apply -f config-map-kibana.yaml
#ES Service，StatefulSet创建
kubectl apply -f delpoy-kibana2.yaml
#查看运行状态
kubectl get pod -n renpho-erp-common|grep kibana

浏览器访问下面地址：https://renpho.master.com:30091/login，这时候需要输入elastic的账号登录进去
你也可以使用ip访问，例如https://192.168.6.220:30091/login。我这里是将192.168.6.220做了个伪域名renpho.master.com

登录进去后，通过kibana dev-tool一样可以查看ES集群状态

到此，使用K8s部署Kibana成功！