I'm trying to setup ELK stack in Docker Swarm following this guide with some modifications.
I've tried a number of different options, and while it's helped me learn more of ELK, I still haven't managed to get it working. Here is what i'm after:
I want to enable transport TLS, which from what I under stand is encryption internally between nodes? As well as TLS for http to be able to access Kibana on "https://<domain_name>.com"
My steps to install:
- Deploy
create-certs.yml
file and remove when finished. - Deploy
stack-elk.yml
file. - Create passwords for built-in users
a.bin/elasticsearch-setup-passwords auto --batch --url https://es01:9200
- Change password in
elastic_pass.txt
andELASTICSEARCH_PASSWORD
in kibana service. - Remove
stack-elk.yml
file and redeploy.
create-certs.yml
version: '3.7'
volumes:
elk-certs:
configs:
instance_config:
file: ./elasticsearch/instances.yml
networks:
elk:
driver: overlay
services:
create_certs:
image: docker.elastic.co/elasticsearch/elasticsearch:7.9.1
networks:
- elk
volumes:
- type: bind
source: /mnt/elk-certs
target: /certs
configs:
- source: instance_config
target: /usr/share/elasticsearch/config/certificates/instances.yml
command: >
bash -c '
yum install -y -q -e 0 unzip;
if [[ ! -f /certs/bundle.zip ]]; then
bin/elasticsearch-certutil cert --silent --keep-ca-key ca --pem --in config/certificates/instances.yml -out /certs/bundle.zip;
unzip /certs/bundle.zip -d /certs;
fi;
chown -R 1000:0 /certs
ls -la /certs
'
user: "0"
working_dir: /usr/share/elasticsearch
deploy:
placement:
constraints:
- node.labels.type == primary
stack-elk.yml
version: '3.7'
x-default-opts:
&default-opts
logging:
options:
max-size: "1m"
configs:
elastic_limits_config:
file: ./elasticsearch/config/limits.conf
elastic_systemd_override:
file: ./elasticsearch/config/override.conf
logstash_config:
file: ./logstash/config/logstash.yml
logstash_pipeline:
file: ./logstash/pipeline/logstash.conf
networks:
elk:
driver: overlay
driver_opts:
encrypted: "true"
traefik-public:
external: true
volumes:
elk-certs:
elk-data:
secrets:
elastic_pass:
file: ./elastic_pass.txt
kibana_system_pass:
file: ./kibana_system_pass.txt
services:
es01:
<<: *default-opts
image: docker.elastic.co/elasticsearch/elasticsearch:7.9.1
ports:
- "9200:9200"
- "9300:9300"
configs:
- source: elastic_limits_config
target: /etc/security/limits.conf
- source: elastic_systemd_override
target: /etc/systemd/system/elasticsearch.service.d/override.conf
secrets:
- source: elastic_pass
target: elastic_pass_secret
uid: '103'
gid: '103'
mode: 0400
volumes:
- type: bind
source: /gluster/volume/elk-certs
target: /usr/share/elasticsearch/config/certificates
- type: bind
source: /gluster/volume/elk-data
target: /usr/share/elasticsearch/data
environment:
node.name: es01
discovery.type: ''
discovery.seed_hosts: es01
cluster.name: docker-cluster
cluster.initial_master_nodes: es01
network.host: 0.0.0.0
ES_JAVA_OPTS: "-Xmx512m -Xms512m"
ELASTIC_PASSWORD_FILE: /run/secrets/elastic_pass_secret
MAX_LOCKED_MEMORY: unlimited
xpack.monitoring.collection.enabled: "true"
xpack.license.self_generated.type: basic
xpack.security.enabled: "true"
xpack.security.http.ssl.enabled: "true"
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certificates/es01/es01.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certificates/es01/es01.crt
xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/certificates/ca/ca.crt
# xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/certificates/ca/elasticsearch-ca.pem
xpack.security.http.ssl.verification_mode: certificate
xpack.security.transport.ssl.enabled: "true"
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/certificates/ca/ca.crt
# xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/certificates/ca/elasticsearch-ca.pem
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certificates/es01/es01.crt
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certificates/es01/es01.key
# xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certificates/es01/http.p12
# xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certificates/es01/http.p12
networks:
- elk
healthcheck:
test: curl --cacert /usr/share/elasticsearch/config/certificates/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
interval: 30s
timeout: 10s
retries: 5
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: on-failure
delay: 10s
max_attempts: 5
window: 60s
resources:
limits:
memory: 1G
logstash:
<<: *default-opts
image: docker.elastic.co/logstash/logstash:7.9.1
ports:
- "5000:5000"
- "9600:9600"
secrets:
- source: elastic_pass
target: elastic_pass_secret
uid: '103'
gid: '103'
mode: 040
configs:
- source: logstash_config
target: /usr/share/logstash/config/logstash.yml
- source: logstash_pipeline
target: /usr/share/logstash/pipeline/logstash.conf
environment:
LS_JAVA_OPTS: "-Xmx256m -Xms256m"
volumes:
- type: bind
source: /gluster/volume/elk-certs
target: /usr/share/elasticsearch/config/certificates
networks:
- elk
deploy:
mode: replicated
replicas: 1
kibana:
<<: *default-opts
image: docker.elastic.co/kibana/kibana:7.9.1
ports:
- "5601:5601"
environment:
SERVER_NAME: kibana
SERVER_HOST: 0.0.0.0
SERVER_SSL_ENABLED: "true"
SERVER_SSL_KEY: /usr/share/elasticsearch/config/certificates/kibana/kibana.key
SERVER_SSL_CERTIFICATE: /usr/share/elasticsearch/config/certificates/kibana/kibana.crt
# SERVER_SSL_KEYSTORE_PATH: /usr/share/elasticsearch/config/certificates/es01/http.p12
# SERVER_SSL_TRUSTSTORE_PATH: /usr/share/elasticsearch/config/certificates/es01/http.p12
# SERVER_SSL_CERTIFICATEAUTHORITIES: /usr/share/elasticsearch/config/certificates/ca/elasticsearch-ca.pem
SERVER_SSL_CLIENTAUTHENTICATION: optional
ELASTICSEARCH_USERNAME: kibana_system
ELASTICSEARCH_PASSWORD: kvv6nju4hLuI3eE7nbdr
ELASTICSEARCH_HOSTS: https://es01:9200
ELASTICSEARCH_URL: https://es01:9200
ELASTICSEARCH_SSL_VERIFICATIONMODE: certificate
ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: /usr/share/elasticsearch/config/certificates/ca/ca.crt
ELASTICSEARCH_REQUESTTIMEOUT: 60000
# ELASTICSEARCH_SSL_CERTIFICATE: /usr/share/elasticsearch/config/certificates/kibana/kibana.crt
# ELASTICSEARCH_SSL_KEY: /usr/share/elasticsearch/config/certificates/kibana/kibana.key
# ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: /usr/share/elasticsearch/config/certificates/ca/elasticsearch-ca.pem
# ELASTICSEARCH_SSL_KEYSTORE_PATH: /usr/share/elasticsearch/config/certificates/es01/http.p12
# ELASTICSEARCH_SSL_TRUSTSTORE_PATH: /usr/share/elasticsearch/config/certificates/es01/http.p12
XPACK_SECURITY_HTTP_SSL_CLIENT_AUTHENTICATION: optional
XPACK_SECURITY_ENABLED: "true"
XPACK_SECURITY_ENCRYPTIONKEY: long string
XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY: long string
XPACK_REPORTING_ENCRYPTIONKEY: long string
MONITORING_UI_CONTAINER_ELASTICSEARCH_ENABLED: "true"
volumes:
- type: bind
source: /gluster/volume/elk-certs
target: /usr/share/elasticsearch/config/certificates
depends_on:
- es01
networks:
- elk
- traefik-public
deploy:
mode: replicated
replicas: 1
labels:
traefik.enable: "true"
traefik.docker.network: traefik-public
traefik.constraint-label: traefik-public
traefik.http.routers.kibana-http.rule: Host(`kibana.example.com`)
traefik.http.routers.kibana-http.entrypoints: http
traefik.http.routers.kibana-http.middlewares: https-redirect
traefik.http.routers.kibana-https.rule: Host(`kibana.example.com`)
traefik.http.routers.kibana-https.entrypoints: https
traefik.http.routers.kibana-https.tls: "true"
traefik.http.routers.kibana-https.tls.certresolver: le
traefik.http.services.kibana.loadbalancer.server.port: 5601
# Security Headers
traefik.http.middlewares.kibana-headers.headers.framedeny: "true"
traefik.http.middlewares.kibana-headers.headers.forceSTSHeader: "true"
traefik.http.routers.kibana-https.middlewares: kibana-headers,admin-auth