본문 바로가기
Linux/OpenShift

RHOCP) OpenShift Elasticsearch Route 생성

by LILO 2023. 8. 6.
반응형

INTRO

RHOCP에서 Elasticsearch Operator를 설치 후 접근시 클러스터 내부의 Service IP만 접근할 수 있기 때문에 외부에서 접근할 수 없습니다.

외부에서 접근할 수 있게 만들기 위해서 Elasticsearch Service에 대하여 Route를 생성하는 작업이 필요합니다.

자세한 내용은 아래의 문서를 참고바랍니다.

 

Configuring the log store - Configuring your Logging deployment | Logging | OpenShift Container Platform 4.13

By default, OpenShift Logging does not store audit logs in the internal OpenShift Container Platform Elasticsearch log store. You can send audit logs to this log store so, for example, you can view them in Kibana. To send the audit logs to the default inte

docs.openshift.com

 

 

Elasticsearch Route 생성

Elasticsearch Pod가 실행중인지 확인합니다.

# oc get pods -l component=elasticsearch -n openshift-logging
NAME                                            READY   STATUS    RESTARTS   AGE
elasticsearch-cdm-irhsc3iy-1-6cfc965b7-tsjww    2/2     Running   0          21h
elasticsearch-cdm-irhsc3iy-2-75b6987d66-kp7gn   2/2     Running   0          21h
elasticsearch-cdm-irhsc3iy-3-5447fc7f7c-52lqg   2/2     Running   0          21h

Elasticsearch Service IP를 조회합니다.

# oc get service elasticsearch -n openshift-logging -o json |jq .spec.clusterIP
"172.30.233.11"

# oc get service elasticsearch -n openshift-logging
NAME            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
elasticsearch   ClusterIP   172.30.233.11   <none>        9200/TCP   21h

Elasticsearch Health check를 위해 아래의 명령 중에 하나를 수행합니다.

<Elasticsearch Pod 안에서 es_util 명령어 이용>
# ES_POD=`oc get pod -n openshift-logging |grep -i elasticsearch-cdm | head -1 |awk '{print $1}'`

# oc exec ${ES_POD} -c elasticsearch -n openshift-logging -- es_util --query="_cat/health"       
1691251501 16:05:01 elasticsearch green 3 3 258 129 0 0 0 0 - 100.0%


<Elasticsearch Pod 안에서 curl 명령어 이용>
# SVC_IP=`oc get service elasticsearch -o jsonpath={.spec.clusterIP} -n openshift-logging`

# ES_POD=`oc get pod -n openshift-logging |grep -i elasticsearch-cdm | head -1 |awk '{print $1}'`

# oc exec -n openshift-logging -c elasticsearch ${ES_POD} -- curl -tlsv1.2 --insecure -H "Authorization: Bearer ${token}" "https://${SVC_IP}:9200/_cat/health"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    69  100    69    0     0    610      0 --:--:-- --:--:-- --:--:--   610
1691251299 16:01:39 elasticsearch green 3 3 258 129 0 0 0 0 - 100.0%

Elasticsearch에서 CA 인증서를 추출하고 admin-ca라는 파일로 저장합니다.

# oc extract -n openshift-logging secret/elasticsearch --to=. --keys=admin-ca

Elasticsearch Service에 대한 Route를 생성합니다.

# cat << EOF > es-route.yaml
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: elasticsearch
  namespace: openshift-logging
spec:
  host:
  to:
    kind: Service
    name: elasticsearch
  tls:
    termination: reencrypt
    destinationCACertificate: |
EOF

이전에 생성한 'admin-ca'라는 CA 인증서 파일의 내용을 destinationCACertificate아래에 추가합니다.

cat ./admin-ca | sed -e "s/^/      /" >>  ./es-route.yaml

Route를 생성하고 확인합니다.

# oc create -f  es-route.yaml

# oc get route  -n openshift-logging  elasticsearch
NAME            HOST/PORT                                               PATH   SERVICES        PORT    TERMINATION   WILDCARD
elasticsearch   elasticsearch-openshift-logging.apps.ocp4.example.com          elasticsearch   <all>   reencrypt     None

정상적으로 Elasticserch에 접근이 가능한지 확인합니다.

# token=$(oc whoami -t)
# routeES=`oc get route elasticsearch -n openshift-logging -o jsonpath={.spec.host}`

# curl -tlsv1.2 --insecure -H "Authorization: Bearer ${token}" "https://${routeES}" |jq .name
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   510  100   510    0     0   3541      0 --:--:-- --:--:-- --:--:--  3541
"elasticsearch-cdm-irhsc3iy-1"

# curl -tlsv1.2 --insecure -H "Authorization: Bearer ${token}" "https://${routeES}" |jq .name
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   510  100   510    0     0   7183      0 --:--:-- --:--:-- --:--:--  7083
"elasticsearch-cdm-irhsc3iy-3"

# curl -tlsv1.2 --insecure -H "Authorization: Bearer ${token}" "https://${routeES}" |jq .name
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   510  100   510    0     0   9272      0 --:--:-- --:--:-- --:--:--  9272
"elasticsearch-cdm-irhsc3iy-2"

 

반응형