Merge pull request #13664 from mburke5678/Exposing-elasticsearch-service-with-route

mburke5678 · web-flow · commit 8161e1481c00 · 2019-02-19T12:18:43.000-05:00
Exposing elasticsearch service with a route
diff --git a/modules/efk-logging-elasticsearch-exposing.adoc b/modules/efk-logging-elasticsearch-exposing.adoc
@@ -13,40 +13,58 @@ You have access to Elasticsearch using your {product-title} token, and
 you can provide the external Elasticsearch and Elasticsearch Ops
 hostnames when creating the server certificate (similar to Kibana).
 
+.Prerequisite
+
+Set cluster logging to the unmanaged state.
+
 .Procedure
 
-. To access Elasticsearch as a reencrypt route, define the following variables:
+. Use the following command to get name of the ElasticSearch pod:
 +
 ----
-openshift_logging_es_allow_external=True
-// openshift_logging_es_hostname=elasticsearch.example.com
+ESPOD=$( oc get pods -l component=elasticsearch -o name | sed -e "s/pod\///" )
 ----
 
-. To log in to Elasticsearch remotely, the request must contain three HTTP headers:
+. Use the following command to extract CA certificate to a file:
 +
 ----
-Authorization: Bearer $token
-X-Proxy-Remote-User: $username
-X-Forwarded-For: $ip_address
+oc exec $ESPOD -- cat /etc/openshift/elasticsearch/secret/admin-ca > ./admin-ca
 ----
 
-. You must have access to the project in order to be able to access to the logs. For example:
+. Create the route object for the ElasticSearch service as an yaml file:
 +
 ----
-$ oc login <user1>
-$ oc new-project <user1project>
-$ oc new-app <httpd-example>
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: elasticsearch
+  namespace: openshift-logging
+spec:
+  host:
+  to:
+    kind: Service
+    name: elasticsearch
+  tls:
+    termination: reencrypt
+    caCertificate: |-
 ----
 
-. You need to get the token of this ServiceAccount to be used in the request:
+. Use the following commands to add the CA certificate to the object YAML file:
 +
 ----
-$ token=$(oc whoami -t)
+cat ./admin-ca | sed -e "s/^/      /" >> my_es_route.yaml
+echo "    destinationCACertificate: |-" >> my_es_route.yaml
+cat ./admin-ca | sed -e "s/^/      /" >> my_es_route.yaml
 ----
 
-. Using the token previously configured, you should be able access Elasticsearch through the exposed route:
+. Use the following command to create the service:
 +
 ----
-$ curl -k -H "Authorization: Bearer $token" -H "X-Proxy-Remote-User: $(oc whoami)" -H "X-Forwarded-For: 127.0.0.1" https://es.example.test/project.my-project.*/_search?q=level:err | python -mjson.tool
+oc create -f my_es_route.yaml
 ----
 
+. Check the ElasticSearch service is exposed:
++
+----
+curl --silent --insecure -H "Authorization: Bearer $( oc whoami -t )" "https://$( oc get route elasticsearch -o jsonpath='{.spec.host}' ):443/.operations.*/_search" | jq
+----
