See https://www.elastic.co/guide/en/elastic-stack-get-started/7.17/get-started-docker.html#get-started-docker-tls
Create docker compose supporting yamls
CERTS_DIR=/usr/share/elasticsearch/config/certificates
export VERSION=8.15.0
cat << EOF > elastic-docker.yml
services:
es01:
image: docker.elastic.co/elasticsearch/elasticsearch:8.15.0
container_name: es01
environment:
- node.name=es01
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es02,es03
- cluster.initial_master_nodes=es01,es02,es03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- xpack.license.self_generated.type=trial
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certificates/es01/es01.key
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certificates/ca/ca.crt
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certificates/es01/es01.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certificates/ca/ca.crt
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certificates/es01/es01.crt
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certificates/es01/es01.key
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- data01:/usr/share/elasticsearch/data
- certs:/usr/share/elasticsearch/config/certificates
ports:
- 9200:9200
networks:
- elastic
healthcheck:
test: curl --cacert /usr/share/elasticsearch/config/certificates/ca/ca.crt -s https://localhost:9200 >/dev/null; if [[ 3391706? == 52 ]]; then echo 0; else echo 1; fi
interval: 30s
timeout: 10s
retries: 5
es02:
image: docker.elastic.co/elasticsearch/elasticsearch:8.15.0
container_name: es02
environment:
- node.name=es02
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es01,es03
- cluster.initial_master_nodes=es01,es02,es03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- xpack.license.self_generated.type=trial
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certificates/es02/es02.key
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certificates/ca/ca.crt
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certificates/es02/es02.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certificates/ca/ca.crt
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certificates/es02/es02.crt
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certificates/es02/es02.key
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- data02:/usr/share/elasticsearch/data
- certs:/usr/share/elasticsearch/config/certificates
networks:
- elastic
es03:
image: docker.elastic.co/elasticsearch/elasticsearch:8.15.0
container_name: es03
environment:
- node.name=es03
- cluster.name=es-docker-cluster
- discovery.seed_hosts=es01,es02
- cluster.initial_master_nodes=es01,es02,es03
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- xpack.license.self_generated.type=trial
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certificates/es03/es03.key
- xpack.security.http.ssl.certificate_authorities=/usr/share/elasticsearch/config/certificates/ca/ca.crt
- xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certificates/es03/es03.crt
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.certificate_authorities=/usr/share/elasticsearch/config/certificates/ca/ca.crt
- xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certificates/es03/es03.crt
- xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certificates/es03/es03.key
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- data03:/usr/share/elasticsearch/data
- certs:/usr/share/elasticsearch/config/certificates
networks:
- elastic
kib01:
image: docker.elastic.co/kibana/kibana:8.15.0
container_name: kib01
depends_on: {"es01": {"condition": "service_healthy"}}
ports:
- 9601:5601
environment:
SERVERNAME: localhost
ELASTICSEARCH_URL: https://es01:9200
ELASTICSEARCH_HOSTS: https://es01:9200
ELASTICSEARCH_USERNAME: kibana_system
ELASTICSEARCH_PASSWORD: CHANGEME
ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: /usr/share/elasticsearch/config/certificates/ca/ca.crt
SERVER_SSL_ENABLED: "true"
SERVER_SSL_KEY: /usr/share/elasticsearch/config/certificates/kib01/kib01.key
SERVER_SSL_CERTIFICATE: /usr/share/elasticsearch/config/certificates/kib01/kib01.crt
volumes:
- certs:/usr/share/elasticsearch/config/certificates
networks:
- elastic
volumes:
data01:
driver: local
data02:
driver: local
data03:
driver: local
certs:
driver: local
networks:
elastic:
driver: bridge
EOF
cat << EOF > create-certs.yml
services:
create_certs:
image: docker.elastic.co/elasticsearch/elasticsearch:${VERSION}
container_name: create_certs
command: >
bash -c '
if [[ ! -f /certs/bundle.zip ]]; then
bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip;
unzip /certs/bundle.zip -d /certs;
fi;
chown -R 1000:0 /certs
'
working_dir: /usr/share/elasticsearch
volumes:
- certs:/certs
- .:/usr/share/elasticsearch/config/certificates
networks:
- elastic
volumes:
certs:
driver: local
networks:
elastic:
driver: bridge
EOF
cat << EOF > instances.yml
instances:
- name: es01
dns:
- es01
- localhost
ip:
- 127.0.0.1
- name: es02
dns:
- es02
- localhost
ip:
- 127.0.0.1
- name: es03
dns:
- es03
- localhost
ip:
- 127.0.0.1
- name: 'kib01'
dns:
- kib01
- localhost
EOF
docker compose -f create-certs.yml run --rm create_certs
Start elasticsearch docker cluster
docker compose -f elastic-docker.yml up -d
docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \
auto --batch --url https://es01:9200"
Reset passwords if needed. Change the kibana_system password above and cycle the docker cluster
docker exec es01 /bin/bash -c "bin/elasticsearch-reset-password \
--auto --batch --username elastic --url https://es01:9200"
Setup elastic login variables
export USER="elastic"
export PASSWORD="<password>" // from previous step
export ES_URL="https://${USER}:${PASSWORD}@localhost:9200"
export INDEX="minio-audit-logs"
docker cp es01:${CERTS_DIR}/es01/es01.key /tmp/.
curl -X POST "${ES_URL}/${INDEX}/_doc" \
-H "Content-Type: application/json" \
-d '{"test1":"hello world"}' \
--cacert /tmp/ca.crt
curl -X GET "${ES_URL}/${INDEX}/_search?pretty" \
-H "Content-Type: application/json" -d'
{
"size": 10,
"sort": [
{
"time": {
"order": "desc"
}
}
],
"query": {
"match_all": {}
}
}' \
--cacert /tmp/ca.crt
Setup MinIO audit; test MinIO audit logging
mc admin config set <alias> audit_webhook:ECK \
endpoint="${ES_URL}/${INDEX}/_doc" \
queue_size=1000 \
queue_dir=/tmp/audit_queue
mc admin config get <alias> audit_webhook
audit_webhook enable=off endpoint= auth_token= client_cert= client_key= batch_size=1 queue_size=100000 queue_dir=
audit_webhook:ECK endpoint=https://elastic:<alastic password>@localhost:9200/minio-audit-logs/_doc auth_token= client_cert= client_key= batch_size=1 queue_size=1000 queue_dir=/tmp/audit_queue
