Running APM Server on ECK

edit

This section describes how to deploy, configure and access an APM Server with ECK.

The current Docker image of the APM Server must run as root or with the user id 1000. This prevents the APM Server from running in some environments such as OpenShift, or on any Kubernetes cluster that would set a different user in the security context.

Use an Elasticsearch cluster managed by ECK

edit

Managing both APM Server and Elasticsearch by ECK allows a smooth and secured integration between the two. The output configuration of the APM Server is setup automatically to establish a trust relationship with Elasticsearch.

  1. To deploy an APM Server and connect it to the cluster quickstart created in the quickstart, apply the following specification:

    cat <<EOF | kubectl apply -f -
    apiVersion: apm.k8s.elastic.co/v1beta1
    kind: ApmServer
    metadata:
      name: apm-server-quickstart
      namespace: default
    spec:
      version: 8.16.1
      count: 1
      elasticsearchRef:
        name: quickstart
    EOF

    Deploying the APM Server and Elasticsearch in two different namespaces is currently not supported.

  2. Monitor APM Server deployment.

    You can retrieve details about the APM Server instance:

    kubectl get apmservers
    NAME                     HEALTH    NODES    VERSION   AGE
    apm-server-quickstart    green     1        8.16.1      8m

    And you can list all the Pods belonging to a given deployment:

    kubectl get pods --selector='apm.k8s.elastic.co/name=apm-server-quickstart'
    NAME                                                READY   STATUS    RESTARTS   AGE
    apm-server-quickstart-apm-server-69b447ddc5-fflc6   1/1     Running   0          2m50s

Advanced configuration

edit

Customize the APM Server configuration

edit

You can customize the configuration of the APM Server using a config element in the specification:

apiVersion: apm.k8s.elastic.co/v1beta1
kind: ApmServer
metadata:
  name: apm-server-quickstart
  namespace: default
spec:
  version: 8.16.1
  count: 1
  config:
    output:
      elasticsearch:
        headers:
          X-My-Header: Just an example of a custom settings
  elasticsearchRef:
    name: quickstart

The configuration items you provide always override the ones that are generated by the operator.

APM Secrets keystore for secure settings

edit

The APM Server keystore can be used to store sensitive settings in the APM Server configuration. ECK can automatically manage the APM Server keystore in the Pods.

  1. First create a secret with the secret settings:

    kubectl create secret generic apm-secret-settings --from-literal=ES_PASSWORD=asecretpassword
  2. In the specification of the APM Server add a reference to the previously created secret within a spec.secureSettings section. Then reference the key in the APM Server configuration as it is described in the Secrets keystore for secure settings.

    apiVersion: apm.k8s.elastic.co/v1beta1
    kind: ApmServer
    metadata:
      name: apm-server-quickstart
      namespace: default
    spec:
      version: 8.16.1
      count: 1
      secureSettings:
      - secretName: apm-secret-settings
      config:
        output:
          elasticsearch:
            password: "${ES_PASSWORD}"

Reference an existing Elasticsearch cluster

edit

Now that you know how to use the APM keystore and customize the server configuration, you can manually configure a secured connection to an existing Elasticsearch cluster.

  1. Create a secret with the Elasticsearch CA.

    First, you need to store the certificate authority of the Elasticsearch cluster in a secret:

    kubectl create secret generic es-ca --from-file=tls.crt=elasticsearch-ca.crt

    the file elasticsearch-ca.crt must contain the CA certificate of the Elasticsearch cluster you want to use with the APM Server.

  2. You can then mount this secret using the Pod template, and reference the file in the config of the APM Server.

    Here is a complete example with a password stored in the Keystore as described in the previous section:

    apiVersion: apm.k8s.elastic.co/v1beta1
    kind: ApmServer
    metadata:
      name: apm-server-quickstart
      namespace: default
    spec:
      version: 8.16.1
      count: 1
      secureSettings:
      - secretName: apm-secret-settings
      config:
        output:
          elasticsearch:
            hosts: ["my-own-elasticsearch-cluster:9200"]
            username: elastic
            password: "${ES_PASSWORD}"
            protocol: "https"
            ssl.certificate_authorities: ["/usr/share/apm-server/config/elasticsearch-ca/tls.crt"]
      podTemplate:
        spec:
          containers:
          - name: apm-server
            volumeMounts:
            - mountPath: /usr/share/apm-server/config/elasticsearch-ca
              name: elasticsearch-ca
              readOnly: true
          volumes:
          - name: elasticsearch-ca
            secret:
              defaultMode: 420
              optional: false
              secretName: es-ca # This is the secret that holds the Elasticsearch CA cert

TLS Certificates

edit

By default the operator manages a private CA and generates a self-signed certificate used to secure the communication between APM agents and the server.

This behavior and the relevant configuration is identical to what is done for Elasticsearch and Kibana. See Setting up your own certificate for more information on how to use your own certificate to configure the TLS endpoint of the APM Server.

For more details on how to configure the APM agents to work with custom certificates, see the APM agents documentation.

Connecting to the APM Server

edit

APM Server service

edit

The APM Server is exposed with a Service. For information on accessing it, see How to access Elastic Stack services.

To retrieve the list of all the APM Services, use the following command:

kubectl get service --selector='common.k8s.elastic.co/type=apm-server'
NAME                             TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)    AGE
apm-server-quickstart-apm-http   ClusterIP   10.0.1.252   <none>        8200/TCP   154m

APM Server secret token

edit

The operator generates an authorization token that agents must send to authenticate themselves to the APM Server.

This token is stored in a secret named {APM-server-name}-apm-token and can be retrieved with the following command:

kubectl get secret/apm-server-quickstart-apm-token -o go-template='{{index .data "secret-token" | base64decode}}'

For more information, see APM Server Reference.