Adopted Elastic Stack version 8 and upgraded to 8.2.1 with quickstart demo for starting the ELK cluster in one shot

Author: bindiego

bin/demo.sh

@@ -0,0 +1,170 @@
+#!/bin/bash
+
+# Author: Bin Wu <[email protected]>
+
+pwd=`pwd`
+cluster_name=elk-demo
+region=asia-east1
+# zone=asia-east1-a
+project_id=du-hast-mich
+default_pool=default-pool
+nodes_per_zone=5 # per zone
+machine_type=e2-standard-2
+release_channel=None # None -> static, e.g. rapid, regular, stable
+gke_version=1.23.6-gke.1500
+eck_version=2.2.0
+es_cluster_name=dingo-demo
+
+__create_gke() {
+        #--zone "${zone}" \
+        #--node-locations "${region}-a,${region}-b,${region}-c"
+        #--num-nodes "1" for regional/multi-zone cluster, this is the number in each zone
+    gcloud beta container \
+        --project "${project_id}" clusters create "$cluster_name" \
+        --zone "${region}-a" \
+        --node-locations "${region}-a" \
+        --no-enable-basic-auth \
+        --enable-dataplane-v2 \
+        --release-channel "${release_channel}" \
+        --cluster-version "${gke_version}" \
+        --machine-type "$machine_type" \
+        --image-type "COS_CONTAINERD" \
+        --disk-type "pd-ssd" \
+        --disk-size "20" \
+        --metadata disable-legacy-endpoints=true \
+        --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" \
+        --num-nodes "$nodes_per_zone" \
+        --logging=SYSTEM,WORKLOAD \
+        --monitoring=SYSTEM,WORKLOAD \
+        --enable-ip-alias \
+        --network "projects/${project_id}/global/networks/default" \
+        --subnetwork "projects/${project_id}/regions/$region/subnetworks/default" \
+        --default-max-pods-per-node "110" \
+        --no-enable-master-authorized-networks \
+        --addons HorizontalPodAutoscaling,HttpLoadBalancing \
+        --no-enable-autoupgrade \
+        --max-surge-upgrade 1 \
+        --max-unavailable-upgrade 0 \
+        --enable-autorepair
+
+    __init
+}
+
+# setup the deployment enviroment for Elastic Stack
+__init() {
+    # Set kubectl to target the created cluster
+    gcloud container clusters get-credentials $cluster_name \
+        --zone "${region}-a" \
+        --project ${project_id}
+
+    # sysctl -w vm.max_map_count=262144 for every GKE node
+    # Option 1
+    # $pwd/bin/gke_sysctl_vmmaxmapcount.sh
+    # Option 2
+    kubectl apply -f $pwd/conf/node-daemon.yml
+
+    # Install ECK
+    [ -f $pwd/conf/crds.yaml ] || \
+        curl https://download.elastic.co/downloads/eck/$eck_version/crds.yaml --output $pwd/conf/crds.yaml
+    kubectl create -f $pwd/conf/crds.yaml
+
+    [ -f $pwd/conf/operator.yaml ] || \
+        curl https://download.elastic.co/downloads/eck/$eck_version/operator.yaml --output $pwd/conf/operator.yaml
+    kubectl apply -f $pwd/conf/operator.yaml
+
+    # create storage class
+    kubectl create -f $pwd/conf/storage.yml
+
+    ## make it default
+
+    # 1. switch default class to false
+    #kubectl patch storageclass standard \
+        #-p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
+
+    # 2. switch the default class to true for custom storage class
+    #kubectl patch storageclass dingo-pdssd \
+        #-p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
+}
+
+__init_gcp_credentials() {
+    # FIXME: you may want a minimum privilege service account here just for GCS
+    [ -f $pwd/conf/gcs.client.default.credentials_file ] || \
+        cp $GOOGLE_APPLICATION_CREDENTIALS $pwd/conf/gcs.client.default.credentials_file
+
+    # Optional: setup a GCP service account that can manipulate GCS for snapshots
+    kubectl create secret generic gcs-credentials \
+        --from-file=$pwd/conf/gcs.client.default.credentials_file
+}
+
+__deploy_elastic() {
+    __init_gcp_credentials
+
+    kubectl apply -f $pwd/templates/es.demo.yml
+    kubectl apply -f $pwd/templates/kbn.demo.yml
+}
+
+__deploy_demo() {
+    __create_gke
+
+    __deploy_elastic
+}
+
+__password() {
+    # kubectl get secret ${es_cluster_name}-es-elastic-user -o=jsonpath='{.data.elastic}' | base64 --decode
+    kubectl get secret ${es_cluster_name}-es-elastic-user -o go-template='{{.data.elastic | base64decode}}'
+}
+
+__password_reset() {
+    kubectl delete secret ${es_cluster_name}-es-elastic-user
+}
+
+__status() {
+    passwd=$(__password)
+    lb_ip=`kubectl get services ${es_cluster_name}-es-http -o jsonpath='{.status.loadBalancer.ingress[0].ip}'`
+
+    #curl -u "elastic:$passwd" -k "https://$lb_ip:9200"
+
+    kbn_ip=`kubectl get service dingo-demo-kbn-kb-http -o jsonpath='{.status.loadBalancer.ingress[0].ip}'`
+    kbn_port=5601
+    kbn_url=https://${kbn_ip}:${kbn_port}
+
+    echo; echo "================================="
+    echo "Access Kibana at: " ${kbn_url}
+    echo "Username: " elastic
+    echo "Password: " ${passwd}
+    echo "================================="; echo
+}
+
+__clean() {
+    echo "Y" | gcloud container clusters delete $cluster_name \
+        --zone "${region}-a"
+}
+
+__main() {
+    if [ $# -eq 0 ]
+    then
+        __deploy_demo
+        __status
+    else
+        case $1 in
+            password|pwd|pw|p)
+                __password
+                ;;
+            pwdreset|pwreset)
+                __password_reset
+                ;;
+            status|s)
+                __status
+                ;;
+            clean)
+                __clean
+                ;;
+            *)
+                __deploy_demo
+                __status
+                ;;
+        esac
+    fi
+}
+
+__main $@

bin/es.sh

@@ -14,6 +14,10 @@ __init_gcp_credentials() {
     # FIXME: you may want a minimum privilege service account here just for GCS
     [ -f $pwd/conf/gcs.client.default.credentials_file ] || \
         cp $GOOGLE_APPLICATION_CREDENTIALS $pwd/conf/gcs.client.default.credentials_file
+
+    # Optional: setup a GCP service account that can manipulate GCS for snapshots
+    kubectl create secret generic gcs-credentials \
+        --from-file=$pwd/conf/gcs.client.default.credentials_file
 }
 
 __deploy() {

bin/gke.sh

@@ -6,12 +6,12 @@ pwd=`pwd`
 cluster_name=elk
 region=asia-east1
 # zone=asia-east1-a
-project_id=google.com:bin-wus-learning-center
+project_id=du-hast-mich
 default_pool=default-pool
-nodes_per_zone=5 # per zone
+nodes_per_zone=6 # per zone
 machine_type=n2-standard-8
 release_channel=None # None -> static, e.g. rapid, regular, stable
-gke_version=1.23.5-gke.2400
+gke_version=1.23.6-gke.1500
 eck_version=2.2.0
 __usage() {
     echo "Usage: ./bin/gke.sh {create|(delete,del,d)|scale|fix}"
@@ -30,13 +30,14 @@ __create() {
         --release-channel "${release_channel}" \
         --cluster-version "${gke_version}" \
         --machine-type "$machine_type" \
-        --image-type "COS" \
+        --image-type "COS_CONTAINERD" \
         --disk-type "pd-ssd" \
-        --disk-size "100" \
+        --disk-size "32" \
         --metadata disable-legacy-endpoints=true \
         --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" \
         --num-nodes "$nodes_per_zone" \
-        --enable-stackdriver-kubernetes \
+        --logging=SYSTEM,WORKLOAD \
+        --monitoring=SYSTEM,WORKLOAD \
         --enable-ip-alias \
         --network "projects/${project_id}/global/networks/default" \
         --subnetwork "projects/${project_id}/regions/$region/subnetworks/default" \
@@ -85,10 +86,6 @@ __init() {
     # 2. switch the default class to true for custom storage class
     #kubectl patch storageclass dingo-pdssd \
         #-p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
-
-    # Optional: setup a GCP service account that can manipulate GCS for snapshots
-    kubectl create secret generic gcs-credentials \
-        --from-file=$pwd/conf/gcs.client.default.credentials_file
 }
 
 __add_preemptible_pool() {

templates/apm.yml

@@ -3,7 +3,7 @@ kind: ApmServer
 metadata:
       name: dingo-apm
 spec:
-    version: 8.1.3
+    version: 8.2.1
     count: 1
     elasticsearchRef:
         name: dingo

templates/es.all_role.yml

@@ -3,7 +3,7 @@ kind: Elasticsearch
 metadata:
     name: dingo
 spec:
-    version: 8.1.3
+    version: 8.2.1
     #http:
         #service:
             #spec:
@@ -14,16 +14,13 @@ spec:
     - name: zone-a
       count: 2
       config:
-          node.master: true
-          node.data: true
-          node.ingest: true
-          node.ml: true
+          node.roles: [ master, data, ingest, ml, remote_cluster_client, transform ]
           xpack.ml.enabled: true
           node.store.allow_mmap: true
           index.store.type: hybridfs
           cluster.routing.allocation.awareness.attributes: zone
           node.attr.zone: asia-east1-a
-          cluster.remote.connect: true
+          #node.remote_cluster_client: true
           xpack.security.authc.anonymous.roles: monitoring_user
       volumeClaimTemplates:
       - metadata:
@@ -104,16 +101,13 @@ spec:
     - name: zone-b
       count: 2
       config:
-          node.master: true
-          node.data: true
-          node.ingest: true
-          node.ml: true
+          node.roles: [ master, data, ingest, ml, remote_cluster_client, transform ]
           xpack.ml.enabled: true
           node.store.allow_mmap: true
           index.store.type: hybridfs
           cluster.routing.allocation.awareness.attributes: zone
           node.attr.zone: asia-east1-b
-          cluster.remote.connect: true
+          #node.remote_cluster_client: true
           xpack.security.authc.anonymous.roles: monitoring_user
       volumeClaimTemplates:
       - metadata:

templates/es.demo.yml

@@ -0,0 +1,97 @@
+apiVersion: elasticsearch.k8s.elastic.co/v1
+kind: Elasticsearch
+metadata:
+    name: dingo-demo
+spec:
+    version: 8.2.1
+    #http:
+        #service:
+            #spec:
+                #type: LoadBalancer
+    secureSettings:
+    - secretName: gcs-credentials
+    nodeSets:
+    - name: zone-a
+      count: 3
+      config:
+          node.roles: [ master, data, ingest, ml, remote_cluster_client, transform ]
+          xpack.ml.enabled: true
+          node.store.allow_mmap: true
+          index.store.type: hybridfs
+          cluster.routing.allocation.awareness.attributes: zone
+          node.attr.zone: asia-east1-a
+          #node.remote_cluster_client: true
+          xpack.security.authc.anonymous.roles: monitoring_user
+      volumeClaimTemplates:
+      - metadata:
+          name: elasticsearch-data
+        spec:
+            accessModes:
+            - ReadWriteOnce
+            resources:
+                requests:
+                    storage: 256Gi
+            storageClassName: dingo-pdssd-balanced
+      podTemplate:
+          metadata:
+              labels:
+                  ingest: "on"
+                  coord: "on"
+          spec:
+              containers:
+              - name: elasticsearch
+                resources:
+                    requests:
+                        memory: 5Gi
+                        cpu: 1200m
+                    limits:
+                        memory: 5Gi
+                        cpu: 1200m
+                env:
+                - name: ES_JAVA_OPTS
+                  value: "-Xms3g -Xmx3g"
+                - name: PRE_STOP_MAX_WAIT_SECONDS
+                  value: "20"
+                - name: PRE_STOP_ADDITIONAL_WAIT_SECONDS
+                  value: "30"
+                - name: READINESS_PROBE_TIMEOUT
+                  value: "10"
+                readinessProbe:
+                    exec:
+                        command:
+                        - bash
+                        - -c
+                        - /mnt/elastic-internal/scripts/readiness-probe-script.sh
+                    failureThreshold: 3
+                    initialDelaySeconds: 10
+                    periodSeconds: 12
+                    successThreshold: 1
+                    timeoutSeconds: 12
+              initContainers:
+              #- name: sysctl
+                 #securityContext:
+                     #priviledged: true
+                #command: ['sh', '-c', 'sysctl -w vm.max_map_count=262144']
+              - name: install-plugins
+                command:
+                - sh
+                - -c
+                - |
+                  bin/elasticsearch-plugin install --batch repository-gcs
+              #- name: install-ik
+              #  command:
+              #  - sh
+              #  - -c
+              #  - |
+              #    bin/elasticsearch-plugin install --batch https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v8.3.1/elasticsearch-analysis-ik-8.3.1.zip
+              nodeSelector:
+                  cloud.google.com/gke-nodepool: default-pool
+              affinity:
+                  podAntiAffinity:
+                      preferredDuringSchedulingIgnoredDuringExecution:
+                      - weight: 100
+                        podAffinityTerm:
+                            labelSelector:
+                                matchLabels:
+                                    elasticsearch.k8s.elastic.co/cluster-name: dingo-demo
+                            topologyKey: kubernetes.io/hostname