Skip to content

Latest commit

 

History

History
209 lines (201 loc) · 6.47 KB

add-fleet-server-kubernetes-content.asciidoc

File metadata and controls

209 lines (201 loc) · 6.47 KB

The following command assumes you have the {es} CA available as a local file.

+

kubectl create secret generic fleet-server-ssl \
  --from-file=es-ca.crt=<PATH_TO_ES_CA_CERT_FILE>

+

When running the command, substitute the following values:

  • <PATH_TO_ES_CA_CERT_FILE> with your local file containing the {es} CA(s).

+ If you prefer to obtain a yaml manifest of the Secret to create, append --dry-run=client -o=yaml to the command and save the output to a file.

The following command assumes you have the {es} CA and the {fleet-server} certificate, key and CA available as local files.

+

kubectl create secret generic fleet-server-ssl \
  --from-file=es-ca.crt=<PATH_TO_ES_CA_CERT_FILE> \
  --from-file=fleet-ca.crt=<PATH_TO_FLEET_CA_CERT_FILE> \
  --from-file=fleet-server.crt=<PATH_TO_FLEET_SERVER_CERT> \
  --from-file=fleet-server.key=<PATH_TO_FLEET_SERVER_CERT_KEY> \
  --from-literal=fleet_url='<FLEET_URL>'

+

When running the command, substitute the following values:

  • <PATH_TO_ES_CA_CERT_FILE> with your local file containing the {es} CA(s).

  • <PATH_TO_FLEET_CA_CERT_FILE> with your local file containing the {fleet-server} CA.

  • <PATH_TO_FLEET_SERVER_CERT> with your local file containing the server TLS certificate for the {fleet-server}.

  • <PATH_TO_FLEET_SERVER_CERT_KEY> with your local file containing the server TLS key for the {fleet-server}.

  • <FLEET_URL> with the URL that points to the {fleet-server}, for example https://fleet-svc. This URL will be used by the {fleet-server} during its bootstrap, and its hostname must be included in the server certificate’s x509 Subject Alternative Name (SAN) list.

+ If you prefer to obtain a yaml manifest of the Secret to create, append --dry-run=client -o=yaml to the command and save the output to a file.

apiVersion: v1
kind: Service
metadata:
  name: fleet-svc
spec:
  type: ClusterIP
  selector:
    app: fleet-server
  ports:
  - port: 443
    protocol: TCP
    targetPort: 8220
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: fleet-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: fleet-server
  template:
    metadata:
      labels:
        app: fleet-server
    spec:
      automountServiceAccountToken: false
      containers:
      - name: elastic-agent
        image: docker.elastic.co/beats/elastic-agent:{version}
        env:
          - name: FLEET_SERVER_ENABLE
            value: "true"
          - name: FLEET_SERVER_ELASTICSEARCH_HOST
            valueFrom:
              secretKeyRef:
                name: fleet-server-config
                key: elastic_endpoint
          - name: FLEET_SERVER_SERVICE_TOKEN
            valueFrom:
              secretKeyRef:
                name: fleet-server-config
                key: elastic_service_token
          - name: FLEET_SERVER_POLICY_ID
            valueFrom:
              secretKeyRef:
                name: fleet-server-config
                key: fleet_policy_id
          - name: ELASTICSEARCH_CA
            value: /mnt/certs/es-ca.crt
        ports:
        - containerPort: 8220
          protocol: TCP
        resources: {}
        volumeMounts:
        - name: certs
          mountPath: /mnt/certs
          readOnly: true
      volumes:
      - name: certs
        secret:
          defaultMode: 420
          optional: false
          secretName: fleet-server-ssl
apiVersion: v1
kind: Service
metadata:
  name: fleet-svc
spec:
  type: ClusterIP
  selector:
    app: fleet-server
  ports:
  - port: 443
    protocol: TCP
    targetPort: 8220
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: fleet-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: fleet-server
  template:
    metadata:
      labels:
        app: fleet-server
    spec:
      automountServiceAccountToken: false
      containers:
      - name: elastic-agent
        image: docker.elastic.co/beats/elastic-agent:{version}
        env:
          - name: FLEET_SERVER_ENABLE
            value: "true"
          - name: FLEET_SERVER_ELASTICSEARCH_HOST
            valueFrom:
              secretKeyRef:
                name: fleet-server-config
                key: elastic_endpoint
          - name: FLEET_SERVER_SERVICE_TOKEN
            valueFrom:
              secretKeyRef:
                name: fleet-server-config
                key: elastic_service_token
          - name: FLEET_SERVER_POLICY_ID
            valueFrom:
              secretKeyRef:
                name: fleet-server-config
                key: fleet_policy_id
          - name: ELASTICSEARCH_CA
            value: /mnt/certs/es-ca.crt
          - name: FLEET_SERVER_CERT
            value: /mnt/certs/fleet-server.crt
          - name: FLEET_SERVER_CERT_KEY
            value: /mnt/certs/fleet-server.key
          - name: FLEET_CA
            value: /mnt/certs/fleet-ca.crt
          - name: FLEET_URL
            valueFrom:
              secretKeyRef:
                name: fleet-server-ssl
                key: fleet_url
          - name: FLEET_SERVER_TIMEOUT
            value: '60s'
          - name: FLEET_SERVER_PORT
            value: '8220'
        ports:
        - containerPort: 8220
          protocol: TCP
        resources: {}
        volumeMounts:
        - name: certs
          mountPath: /mnt/certs
          readOnly: true
      volumes:
      - name: certs
        secret:
          defaultMode: 420
          optional: false
          secretName: fleet-server-ssl