Please refrain from swearing at my colleague, and in these forums in general. I understand your frustration, and the documentation certainly needs to be improved. We'll take that on board.
Here's a script which deploys ECK, Elasticsearch, Kibana, and APM Server, and extracts the APM secret token and CA certificate.
#!/usr/bin/bash
set -e
# Install the ECK CRDs
kubectl create -f https://download.elastic.co/downloads/eck/2.9.0/crds.yaml
# Install the ECK Operator
kubectl apply -f https://download.elastic.co/downloads/eck/2.9.0/operator.yaml
# Create an Elasticsearch cluster
cat <<EOF | kubectl apply -f -
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: quickstart
spec:
version: 8.9.1
nodeSets:
- name: default
count: 1
config:
node.store.allow_mmap: false
EOF
# Create a Kibana instance
cat <<EOF | kubectl apply -f -
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
name: quickstart
spec:
version: 8.9.1
count: 1
elasticsearchRef:
name: quickstart
EOF
# Create an APM Server.
cat <<EOF | kubectl apply -f -
apiVersion: apm.k8s.elastic.co/v1
kind: ApmServer
metadata:
name: quickstart
namespace: default
spec:
version: 8.9.1
count: 1
elasticsearchRef:
name: quickstart
kibanaRef:
name: quickstart
EOF
# The APM secret token is stored in a secret named "<name>-apm-token".
export ELASTIC_APM_SECRET_TOKEN=$(kubectl get secret/quickstart-apm-token --template '{{index .data "secret-token"}}' | base64 -d)
# The CA for APM Server's TLS certificate is stored in the secret "<name>-apm-http-certs-public".
export ELASTIC_APM_SERVER_CA_CERT_FILE=$(mktemp)
kubectl get secret/quickstart-apm-http-certs-public \
--template '{{index .data "tls.crt"}}' | base64 -d > $ELASTIC_APM_SERVER_CA_CERT_FILE
echo
echo "Elastic APM configuration:"
echo
env | grep ELASTIC_APM_
Running that you should end up with some output like:
...
Elastic APM configuration:
ELASTIC_APM_SECRET_TOKEN=p7x1C6aV6MtrC1I77Ly53G7w
ELASTIC_APM_SERVER_CA_CERT_FILE=/tmp/tmp.qRzQI9X0q8
To test, you can connect to APM Server from your host by port-forwarding to apm-server and using curl
. e.g.
$ kubectl port-forward service/quickstart-apm-http 8200&
$ curl --resolve *:8200:127.0.0.1 --cacert /tmp/tmp.qRzQI9X0q8 -H "Authorization: Bearer p7x1C6aV6MtrC1I77Ly53G7w" https://quickstart-apm-http.default.apm.local:8200
Where should I mount the generated self-signed certs as k8s secret!?!
You'll need to mount the secrets in the pods running your instrumented applications, i.e. in the pod spec for your Node.js application. How you configure your application pods is naturally outside the scope of ECK -- you can use standard Kubernetes features to do this, referencing the secrets generated by ECK. See the script above for the secret names.