一、elasticsearch 集群搭建

1、下载并解压elasticsearch

   选择合适的elasticsearch版本下载，这里我们选择elasticsearch7.10.2，下载链接：elasticsearch下载地址

2、ES集群搭建

vi elasticsearch/config/elasticsearch.yml
配置如下，这里开启security验证

cluster.name: arkham-cluster
node.name: node-192.168.3.252
cluster.initial_master_nodes: node-192.168.3.252
network.host: 192.168.3.252
http.port: 9200
path.data: /home/arkham/elk/elasticsearch/data
path.logs: /home/arkham/elk/elasticsearch/logs
discovery.zen.ping.unicast.hosts: ["192.168.3.252:9300", "192.168.3.253:9300", "192.168.3.3:9300"]
discovery.zen.minimum_master_nodes: 3
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
bootstrap.system_call_filter: false
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true

2.1 打开防火墙9200,9300端口

sudo firewall-cmd --zone=public --add-port=9200/tcp --permanent      #####9200根据实际情况,修改成应用端口,或者要开启的端口
sudo firewall-cmd --zone=public --add-port=9300/tcp --permanent      #####9200根据实际情况,修改成应用端口,或者要开启的端口
sudo firewall-cmd --reload       #######重启防火墙

   此时启动会报错：

Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]

   需要配置传输层TLS/SSL加密传输，传输协议用于Elasticsearch节点之间的内部通信
   elasticsearch解压后bin目录下已经附带了一个名为elasticsearch-certutil的程序，可以直接用于生成加密Elasticsearch集群内部通信的自签名证书，具体操作如下:

./bin/elasticsearch-certutil ca
按下enter后输入密码
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --dns 192.168.3.252,192.168.3.12 --ip 192.168.3.252,192.168.3.12
输入上方的密码
创建es证书证书一定要加--dns 和--ip否则后期通信会报错

   最后会生产两个文件:elastic-stack-ca.p12和elastic-certificates.p12，去config目录下新建certs目录，将两个文件拷贝至certs目录下，修改elasticsearch.yml配置文件

cluster.name: arkham-cluster
node.name: node-192.168.3.252
cluster.initial_master_nodes: node-192.168.3.252
network.host: 192.168.3.252
http.port: 9200
path.data: /home/arkham/elk/elasticsearch/data
path.logs: /home/arkham/elk/elasticsearch/logs
discovery.zen.ping.unicast.hosts: ["192.168.3.252:9300", "192.168.3.253:9300", "192.168.3.3:9300"]
discovery.zen.minimum_master_nodes: 3
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
bootstrap.system_call_filter: false
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

   将配置好之后的elasticsearch整个包复制到另外两台机器上，并修改node.name，host改为各自的ip
   elastic-stack-ca.p12拷贝到es2，es3并重新依次生成带有dns和ip的elastic-certificates.p12证书

2.2 在每个节点中设置证书密码

# 对应的证书密码: xpack.security.transport.ssl.keystore.path
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

# 对应的证书密码: xpack.security.transport.ssl.truststore.path
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

2.3 配置elasticsearch登录密码

bin/elasticsearch-setup-passwords interactive
// 如果想自动生产密码可以用以下指令
bin/elasticsearch-setup-passwords auto

   配置完之后访问elasticsearch需要登录才行

2.4 配置HTTP层TLS/SSL加密传输

   继续使用 PKCS#12 格式的证书，对于HTTP层通信，Elasticsearch节点仅用作服务器，因此可以使用服务器证书，即TLS/SSL证书不需要启用客户端身份验证。而用于加密HTTP通信的证书可以与传输通信不同的证书，与上面一样执行elasticsearch-certutil，生成两个文件这里我们重新命名为http-client.p12和http.p12 ，elasticsearch.yml文件中配置如下：

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/http.p12
xpack.security.http.ssl.truststore.path: certs/http.p12	

   设置证书密码

# 对应的证书密码: xpack.security.http.ssl.keystore.path
bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

# 对应的证书密码: xpack.security.http.ssl.truststore.path
bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password

   此时用chrome自带的elasticsearch-head插件连接elasticsearch(elasticsearch-head插件安装自行百度安装)

3、kibana安装

   elasticsearch已经使用了自签名CA，所以我们必须还使用之前的elastic-stack-ca.p12CA来签署HTTP客户端证书，即http.p12的文件，其中包含对我们的Elasticsearch集群进行PKI身份验证所需的所有信息。 这里我们需要将其分解为其私钥，公共证书和CA证书

// Private Key 私钥
openssl pkcs12 -in http.p12 -nocerts -nodes > client.key
// Public Certificate 公共证书
openssl pkcs12 -in http.p12 -clcerts -nokeys  > client.cer
// CA Certificate 签署公共证书的CA
openssl pkcs12 -in http.p12 -cacerts -nokeys -chain > client-ca.cer

   在Kibana根目录创建config/certs目录，并将上面生成的客户端证书复制到目录中，并配置kibana.yml

server.port: 5601
elasticsearch.username: "kibana_system"
elasticsearch.password: ""
kibana.index: ".kibana"
elasticsearch.ssl.certificate: config/certs/client.cer
elasticsearch.ssl.key: config/certs/client.key
elasticsearch.ssl.certificateAuthorities: [ "config/certs/client-ca.cer" ]
elasticsearch.ssl.verificationMode: certificate
xpack.security.enabled: true
server.ssl.enabled: true
server.ssl.certificate: config/certs/client
xpack.security.encryptionKey: "something_at_least_32_characters"
xpack.reporting.encryptionKey: "a_random_string"

   如果不配置秘钥启动kibana时则会出现以下错误

   记得打开5601端口防火墙

sudo firewall-cmd --zone=public --add-port=5601/tcp --permanent      #####9200根据实际情况,修改成应用端口,或者要开启的端口
sudo firewall-cmd --reload       #######重启防火墙

   至此访问https://192.168.3.252:5601/查看节点状态