Deploying Splunk with the Splunk Operator for Kubernetes on Microk8s!
Now that my lab server has been migrated to Ubuntu and Microk8s has been installed, it's time to deploy our first app!
Naturally, I will be start by deploying Splunk which will I rely on to give me deep insight into anything that happens in my lab!
I will be deploying a "Standalone" Splunk instance as my main "Production" instance, but will also need to deploy test and dev clusters from time to time.
To help deploy both, I will be using Splunk's Kubernetes Operator.
The Splunk Operator for Kubernetes makes it easy for Splunk Administrators to deploy and operate Enterprise deployments in a Kubernetes infrastructure. Packaged as a container, it uses the operator pattern to manage Splunk-specific custom resources, following best practices to manage all the underlying Kubernetes objects for you.
You had me at "easy"!
Installing the Splunk Operator is literally a one-liner!
kubectl -n splunk apply -f http://tiny.cc/splunk-operator-install customresourcedefinition.apiextensions.k8s.io/splunkenterprises.enterprise.splunk.com created clusterrole.rbac.authorization.k8s.io/splunk:operator:namespace-manager created clusterrole.rbac.authorization.k8s.io/splunk:operator:resource-manager created serviceaccount/splunk-operator created rolebinding.rbac.authorization.k8s.io/splunk:operator:namespace-manager created deployment.apps/splunk-operator created
After a moment, you will notice the Splunk Operator pod has spun up in our Splunk namespace:
kubectl -n splunk get pods NAME READY STATUS RESTARTS AGE splunk-operator-75454dbdfc-8bbgf 1/1 Running 0 40m
The Splunk Operator pod will listen requests for Splunk resources and deploy them!
/dev/mapper/ubuntu--vg-lv--root 784G 16G 729G 3% /
I have ~700GB total in the lab, so I am going to slice off 300GB for
/opt/splunk/var/ and 5GB for
/opt/splunk/etc/, knowing I have SmartStore as an adventure I will take, which can be a disk pressure valve.
apiVersion: enterprise.splunk.com/v1alpha1 kind: SplunkEnterprise metadata: name: mattymo-splunk app: splunk region: milton finalizers: - enterprise.splunk.com/delete-pvc spec: resources: splunkEtcStorage: 5Gi splunkVarStorage: 300Gi defaults: |- splunk: password: password hec_token: 00000000-0000-0000-0000-000000000000
Going with a real simple bootstrap, as I will be able to easily install Splunk apps via the UI/CLI as needed.
kubectl -n splunk port-forward splunk-mattymo-splunk-standalone-0 9999:8000
We are Live!
Now that Splunk is up, let's get our MicroK8s environment instrumented!