Build a Kubernetes Cluster and LogScale Deployment - CrowdStrike/logscale-community-content GitHub Wiki

Summary

This walks through the process of building a Kubernetes cluster across 3 nodes. The following was used for each node:

  • Ubuntu 22.04.1
  • (x3) i3.2xlarge instances
  • 256 GB of gp2 for each instance.

Please note this was written for lab usage. It has not been tested for speed, scale, or supportability. You will need a valid LogScale license for the deployment.

Update the OS

sudo apt update && sudo apt upgrade
sudo reboot

Install Kubernetes

echo "export KUBECONFIG=~/.kube/config" >> ~/.bashrc
echo "export PATH=$PATH:/var/lib/kurl/helm" >> ~/.bashrc
source ~/.bashrc

# Run this on the COORDINATOR node.
# It can take a while to complete. 
curl https://kurl.sh/latest | sudo bash

# Run the final output from the above command on the WORKER nodes. 
# Example: curl -fsSL https://kurl.sh/version/v2023.11.20-0/latest/join.sh | sudo bash -s kuber...

# Run this on the COORDINATOR node.
# Type "y" to overwrite the file.
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
bash -l

# Check the nodes.
# Run on the COORDINATOR node.
kubectl get nodes

Install Strimzi

# Run all of this on the COORDINATOR node.

# Check the website for the latest version.
wget https://github.com/strimzi/strimzi-kafka-operator/releases/download/0.39.0/strimzi-0.39.0.tar.gz
tar xzvf strimzi-0.39.0.tar.gz 
cd strimzi-0.39.0

# Create the namespaces.
kubectl create ns kafka
kubectl create ns logging

# Modify the namespace. 
sed -i 's/namespace: .*/namespace: kafka/' install/cluster-operator/*RoleBinding*.yaml

# Edit the deployment YAML to set the namespace for the cluster.
# Modify the file based on the section below this. 
vi install/cluster-operator/060-Deployment-strimzi-cluster-operator.yaml 
# Around line 43.
# Before:
env:
  - name: STRIMZI_NAMESPACE
    valueFrom:
      fieldRef:
        fieldPath: metadata.namespace

# After:
env:
  - name: STRIMZI_NAMESPACE
    value: logging
# Run the following:
kubectl create -f install/cluster-operator/020-RoleBinding-strimzi-cluster-operator.yaml -n logging
kubectl create -f install/cluster-operator/023-RoleBinding-strimzi-cluster-operator.yaml -n logging
kubectl create -f install/cluster-operator/031-RoleBinding-strimzi-cluster-operator-entity-operator-delegation.yaml -n logging
kubectl create -f install/cluster-operator/ -n kafka

# Create the kafka CRD spec.
# Add the section below this to the file. 
vi kafka.yaml
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: kafka-00
spec:
  kafka:
    replicas: 3
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: tls
      - name: external
        port: 9094
        type: nodeport
        tls: false
    storage:
      type: jbod
      volumes:
      - id: 0
        type: persistent-claim
        size: 32Gi
        deleteClaim: true
    config:
      offsets.topic.replication.factor: 1
      transaction.state.log.replication.factor: 1
      transaction.state.log.min.isr: 1
      default.replication.factor: 1
      min.insync.replicas: 1
  zookeeper:
    replicas: 3
    storage:
      type: persistent-claim
      size: 1Gi
      deleteClaim: true
  entityOperator:
    topicOperator: {}
    userOperator: {}
# Apply the config.
kubectl apply -n logging -f kafka.yaml

# Make sure it comes up.
kubectl -n logging get pods -w

# Wait until it says the deployment is complete.
kubectl -n logging describe Kafka

# Continue when it doesn't show "Type: NotReady". 

Install LogScale

# Check the site for the latest version.
export HUMIO_OPERATOR_VERSION=0.20.1

# Apply the config.
kubectl apply --server-side -f https://raw.githubusercontent.com/humio/humio-operator/humio-operator-${HUMIO_OPERATOR_VERSION}/config/crd/bases/core.humio.com_humioclusters.yaml
kubectl apply --server-side -f https://raw.githubusercontent.com/humio/humio-operator/humio-operator-${HUMIO_OPERATOR_VERSION}/config/crd/bases/core.humio.com_humioexternalclusters.yaml
kubectl apply --server-side -f https://raw.githubusercontent.com/humio/humio-operator/humio-operator-${HUMIO_OPERATOR_VERSION}/config/crd/bases/core.humio.com_humioingesttokens.yaml
kubectl apply --server-side -f https://raw.githubusercontent.com/humio/humio-operator/humio-operator-${HUMIO_OPERATOR_VERSION}/config/crd/bases/core.humio.com_humioparsers.yaml
kubectl apply --server-side -f https://raw.githubusercontent.com/humio/humio-operator/humio-operator-${HUMIO_OPERATOR_VERSION}/config/crd/bases/core.humio.com_humiorepositories.yaml
kubectl apply --server-side -f https://raw.githubusercontent.com/humio/humio-operator/humio-operator-${HUMIO_OPERATOR_VERSION}/config/crd/bases/core.humio.com_humioviews.yaml
kubectl apply --server-side -f https://raw.githubusercontent.com/humio/humio-operator/humio-operator-${HUMIO_OPERATOR_VERSION}/config/crd/bases/core.humio.com_humioalerts.yaml
kubectl apply --server-side -f https://raw.githubusercontent.com/humio/humio-operator/humio-operator-${HUMIO_OPERATOR_VERSION}/config/crd/bases/core.humio.com_humioactions.yaml

# Configure Helm.
# Change the version to match the version above. 
helm repo add humio-operator https://humio.github.io/humio-operator
helm install humio-operator humio-operator/humio-operator --namespace logging --create-namespace --version=${HUMIO_OPERATOR_VERSION}

# Replace with the actual license and password.
kubectl -n logging create secret generic logscale-00-license --from-literal=data=$LICENSE_KEY

# Create the cluster.
# Add the section below this to the file.
# IMPORTANT: 
# - Replace the version with the latest LogScale version.
# - Replace the password. 
vi logscale-00.yaml
apiVersion: core.humio.com/v1alpha1
kind: HumioCluster
metadata:
  name: logscale-00
spec:
  image: "humio/humio-core:1.118.1"
  license:
     secretKeyRef:
       name: logscale-00-license
       key: data
  targetReplicationFactor: 2
  nodeCount: 3
  storagePartitionsCount: 24
  digestPartitionsCount: 24
  autoRebalancePartitions: true
  tls:
    enabled: false
  resources:
    limits:
      cpu: "2"
      memory: 12Gi
    requests:
      cpu: "2"
      memory: 12Gi
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: humio_node_type
            operator: In
            values:
            - core
        - matchExpressions:
          - key: kubernetes.io/arch
            operator: In
            values:
            - amd64
        - matchExpressions:
          - key: kubernetes.io/os
            operator: In
            values:
            - linux
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchExpressions:
          - key: app
            operator: In
            values:
            - humio-core
        topologyKey: kubernetes.io/hostname
  dataVolumePersistentVolumeClaimSpecTemplate:
    storageClassName:
    accessModes: [ReadWriteOnce]
    resources:
      requests:
        storage: 192Gi
  dataVolumePersistentVolumeClaimPolicy:
    reclaimType: OnNodeDelete
  extraKafkaConfigs: "security.protocol=PLAINTEXT"
  environmentVariables:
    - name: "KAFKA_SERVERS"
      value: "kafka-00-kafka-bootstrap:9092"
    - name: "SINGLE_USER_USERNAME"
      value: "admin"
    - name: "SINGLE_USER_PASSWORD"
      value: "ch4ng3th1sp4ss"
    - name: "AUTHENTICATION_METHOD"
      value: "single-user"
# Apply the config.
kubectl -n logging apply -f logscale-00.yaml

# Make sure the pods come up.
kubectl -n logging get pods -w

# Find the list of LogScale pods.
kubectl -n logging get pods | grep logscale

# From the list, check the output from an individual pod. 
# kubectl -n logging logs logscale-00-core-tbqxdh
# kubectl -n logging logs logscale-00-core-tbqxdh -c humio

# Make sure everything looks sane.
kubectl -n logging describe HumioCluster

# Create the service.
# Add the section below this.
vi logscale-service.yaml
---
apiVersion: v1
kind: Service
metadata:
  name: logscale-service
spec:
  type: NodePort
  selector:
    app.kubernetes.io/instance: logscale-00
  ports:
  - name: logscale-ingress
    protocol: TCP
    port: 8080
    targetPort: 8080
    nodePort: 28080
# Apply the config.
kubectl -n logging apply -f logscale-service.yaml

# Check for sanity. 
kubectl -n logging describe Service
kubectl -n logging get Service

# Ensure the connection is successful. 
# At this point you should be able to connect via HTTP on the ip address or DNS name. 
# http://$public_ip_or_dns_name_of_host:28080

Enable TLS

# Change the TLS setting in the file to true and save the file.
# It's under "tls.enabled" which is "false" by default. 
vi logscale-00.yaml

# Install cert manager. 
kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --set installCRDs=true

# Apply the config.
kubectl -n logging apply -f logscale-00.yaml

# Check the changes.
kubectl -n logging describe HumioCluster

# Add ingress.
helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --namespace ingress-nginx --create-namespace

# Change any "logscale.logscale-00.com" references below to the real DNS domain being used. 

# Create certs.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout logscale.logscale-00.com.key -out logscale.logscale-00.com.crt -subj "/CN=logscale.logscale-00.com/O=logscale.logscale-00.com"

# Load the secret into Kubernetes. 
kubectl -n logging create secret tls cert-logscale-00 --key logscale.logscale-00.com.key --cert logscale.logscale-00.com.crt

# Create the ingress object.
# Add the following section to the file.
vi logscale-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: logscale-00-ingress
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/proxy-ssl-name: "logscale-00.logging"
    nginx.ingress.kubernetes.io/proxy-ssl-server-name: "logscale-00.logging"
    nginx.ingress.kubernetes.io/proxy-ssl-secret: "logging/logscale-00"
spec:
  ingressClassName: nginx
  tls:
  - hosts:
      - logscale.logscale-00.com
    secretName: cert-logscale-00
  rules:
  - host: logscale.logscale-00.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: logscale-00
            port:
              number: 8080
# Apply the spec.
kubectl -n logging apply -f logscale-ingress.yaml

# Check for sanity.
kubectl -n logging describe Ingress

# Create a node port.
# Add the following section to the file.
vi ingress-nodeport.yaml
---
apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx-nodeport
spec:
  type: NodePort
  selector:
    app.kubernetes.io/name: ingress-nginx
  ports:
  - name: logscale-ingress
    protocol: TCP
    port: 443
    targetPort: 443
    nodePort: 28443
# Apply the spec.
kubectl -n ingress-nginx apply -f ingress-nodeport.yaml

# Check the service.
kubectl -n ingress-nginx get services

# Ensure the connection is successful. 
# At this point you should be able to connect via HTTPS on the DNS name. 
# https://$dns_name_of_host:28443

Troubleshooting

# Deleting things that were applied.
# Literally just swap out "apply" with "delete" on the above commands. 
kubectl -n logging delete -f kafka.yaml
kubectl -n logging delete -f logscale-00.yaml
kubectl -n ingress-nginx delete -f ingress-nodeport.yaml

# Find out details about a service.
kubectl -n logging describe Kafka
kubectl -n logging describe Deployment
kubectl -n logging describe Service
kubectl -n logging describe HumioCluster
kubectl -n logging describe Ingress

# Show which services are listening on which ports. 
kubectl -n logging get service

# List all running pods in a namespace.
kubectl -n logging get pods

# Get logs from a particular pod.
kubectl -n logging logs logscale-00-core-tbqxdh

# Get application logs from a pod.
kubectl -n logging logs logscale-00-core-tbqxdh -c humio

# Easily view everything about your deployment.
# https://github.com/derailed/k9s

# Enable metrics on the cluster.
wget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
vi components.yaml
# Add "- --kubelet-insecure-tls" under "- --metric-resolution=15s", minus the quotes. Save the file.
kubectl apply -f components.yaml