Overview
IBM® Automation Elasticsearch uses the Elastic License 2.0 (ELv2) basic license.
Elasticsearch is an operational data store that also provides a custom security plug-in to enable basic authentication and a proxy sidecar for Transport Layer Security (TLS) capability.
The ibm-elastic-operator-controller-manager
deployment provides the Elasticsearch
APIs.
Prerequisites
The IBM Automation Elasticsearch service needs the following components:
-
Elastic certificate CA, which is created by using the
ibm-cert-manager-operator
. Following is a sample issuer and certificate. You must later specify the certificate CA in theElasticsearchCluster
CR under the mount calledca-certs
.apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: [automationbase-name]-automationbase-ab-ss-issuer namespace: iaf spec: selfSigned: {}
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: [automationbase-name]-automationbase-ab-ss-ca namespace: iaf spec: commonName: IBM Automation Foundation CA duration: 2160h0m0s isCA: true issuerRef: kind: Issuer name: [automationbase-name]-automationbase-ab-ss-issuer renewBefore: 720h0m0s secretName: [automationbase-name]-automationbase-ab-ss-ca usages: - cert sign - signing
-
Elastic certificate issuer and secret. These components are later added in the
Elasticsearch
CR in theElasticsearch.spec.tls
section to avoid private keys from being directly exposed.apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: [automationbase-name]-automationbase-ab-issuer namespace: iaf spec: ca: secretName: [automationbase-name]-automationbase-ab-ss-ca
-
A Secret with only
ca.crt
field.kind: Secret apiVersion: v1 metadata: name: [automationbase-name]-automationbase-ab-ca namespace: iaf data: ca.crt: >- [copied ca.crt from [automationbase-name]-automationbase-ab-ss-ca] type: Opaque
-
Connection details for Elasticsearch
The Elasticsearch.status.endpoints section
returns connection details, such as the Secret
with the administrator credentials, and the internal and external endpoints, when you request for them. Following is an example section
from the Elasticsearch
CR:
apiVersion: elastic.automation.ibm.com/v1beta1
kind: Elasticsearch
...
status:
endpoints:
- authentication:
secret:
secretName: iaf-system-elasticsearch-es-default-user
type: BasicSecret
caSecret:
key: ca.crt
secretName: [automationbase-name]-automationbase-ab-ca
name: iaf-system-es
scope: External
type: API
uri: 'https://iaf-system-es-iaf.apps.iaf-test2.cp.fyre.ibm.com'
- authentication:
secret:
secretName: iaf-system-elasticsearch-es-default-user
type: BasicSecret
caSecret:
key: ca.crt
secretName: automationbase-sample-automationbase-ab-ca
name: iaf-system-elasticsearch-es
scope: Internal
type: API
uri: 'https://iaf-system-elasticsearch-es.iaf:9200'
Storage
A ReadWriteOnce (RWO) PersistentVolume (PV) is needed for Elasticsearch. If you do not specify a storage class in the spec.elasticsearch.nodegroupspecs[].storage.class
section, the default StorageClass that you set for your cluster
is used.
Example ElasticSearch CR
An ElasticSearch
CR with status is shown in the following example:
apiVersion: elastic.automation.ibm.com/v1beta1
kind: Elasticsearch
metadata:
name: iaf-system
namespace: iaf
spec:
license:
accept: true
nodegroupspecs:
- name: master-data
replicas: 3
storage:
type: persistent-claim
template:
pod:
spec: {}
tls:
caSecret:
key: ca.crt
secretName: automationbase-sample-automationbase-ab-ca
issuerRef:
name: automationbase-sample-automationbase-ab-issuer
version: v2
status:
adminAuthSecretName: iaf-system-elasticsearch-es-default-user
conditions:
- lastTransitionTime: '2022-11-11T16:37:54Z'
message: Elasticsearch successfully installed
reason: Installed
status: 'True'
type: Ready
- lastTransitionTime: '2022-11-10T17:04:05Z'
message: 'Health: GREEN, DataNodes: 3'
reason: Passed
status: 'True'
type: Healthy
- lastTransitionTime: '2022-09-20T16:14:11Z'
message: Default credentials to be updated for security reasons
reason: Generated
status: 'False'
type: SecureCreds
endpoints:
- authentication:
secret:
secretName: iaf-system-elasticsearch-es-default-user
type: BasicSecret
caSecret:
key: ca.crt
secretName: automationbase-sample-automationbase-ab-ca
name: iaf-system-es
scope: External
type: API
uri: 'https://iaf-system-es-iaf.apps.iaf-test2.cp.fyre.ibm.com'
- authentication:
secret:
secretName: iaf-system-elasticsearch-es-default-user
type: BasicSecret
caSecret:
key: ca.crt
secretName: automationbase-sample-automationbase-ab-ca
name: iaf-system-elasticsearch-es
scope: Internal
type: API
uri: 'https://iaf-system-elasticsearch-es.iaf:9200'
managedResources:
- 'certificate:iaf/iaf-system-elasticsearch-es-client-cert'
- 'configmap:iaf/iaf-system-elasticsearch-es'
- 'networkpolicy:iaf/iaf-system-elasticsearch-es'
- 'route:iaf/iaf-system-es'
- 'secret:iaf/iaf-system-elasticsearch-es-default-user'
- 'service:iaf/iaf-system-elasticsearch-es'
- 'service:iaf/iaf-system-elasticsearch-es-headless'
- 'serviceaccount:iaf/iaf-system-elasticsearch-es'
- 'statefulset:iaf/iaf-system-elasticsearch-es-master-data'
nodeGroups:
- name: master-data
versions:
available:
channels:
- name: v2
- name: v2.0
- name: v1
- name: v1.2
- name: v1.1
- name: v1.0
versions:
- name: 2.0.11
- name: 2.0.10
- name: 2.0.9
- name: 2.0.8
- name: 2.0.7
- name: 2.0.6
- name: 2.0.5
- name: 2.0.4
- name: 2.0.3
- name: 2.0.2
- name: 2.0.1
- name: 2.0.0
- name: 1.2.1
- name: 1.2.0
- name: 1.1.0
- name: 1.0.0
reconciled: 2.0.11