[8.x] Fleet Server on kubernetes document proposal (backport #1518)

docs/en/ingest-management/fleet/add-fleet-server-kubernetes-content.asciidoc

@@ -0,0 +1,209 @@
+// tag::quickstart-secret[]
+The following command assumes you have the {es} CA available as a local file.
++
+[source, shell]
+------------------------------------------------------------
+kubectl create secret generic fleet-server-ssl \
+  --from-file=es-ca.crt=<PATH_TO_ES_CA_CERT_FILE>
+------------------------------------------------------------
++
+--
+When running the command, substitute the following values:
+
+* `<PATH_TO_ES_CA_CERT_FILE>` with your local file containing the {es} CA(s).
+--
++
+If you prefer to obtain a *yaml manifest* of the Secret to create, append `--dry-run=client -o=yaml` to the command and save the output to a file.
+// end::quickstart-secret[]
+
+// ***************************************************
+// ***************************************************
+
+// tag::production-secret[]
+The following command assumes you have the {es} CA and the {fleet-server} certificate, key and CA available as local files.
++
+[source, shell]
+------------------------------------------------------------
+kubectl create secret generic fleet-server-ssl \
+  --from-file=es-ca.crt=<PATH_TO_ES_CA_CERT_FILE> \
+  --from-file=fleet-ca.crt=<PATH_TO_FLEET_CA_CERT_FILE> \
+  --from-file=fleet-server.crt=<PATH_TO_FLEET_SERVER_CERT> \
+  --from-file=fleet-server.key=<PATH_TO_FLEET_SERVER_CERT_KEY> \
+  --from-literal=fleet_url='<FLEET_URL>'
+------------------------------------------------------------
++
+--
+When running the command, substitute the following values:
+
+* `<PATH_TO_ES_CA_CERT_FILE>` with your local file containing the {es} CA(s).
+* `<PATH_TO_FLEET_CA_CERT_FILE>` with your local file containing the {fleet-server} CA.
+* `<PATH_TO_FLEET_SERVER_CERT>` with your local file containing the server TLS certificate for the {fleet-server}.
+* `<PATH_TO_FLEET_SERVER_CERT_KEY>` with your local file containing the server TLS key for the {fleet-server}.
+* `<FLEET_URL>` with the URL that points to the {fleet-server}, for example `https://fleet-svc`. This URL will be used by the {fleet-server} during its bootstrap, and its hostname must be included in the server certificate’s x509 Subject Alternative Name (SAN) list.
+--
++
+If you prefer to obtain a *yaml manifest* of the Secret to create, append `--dry-run=client -o=yaml` to the command and save the output to a file.
+// end::production-secret[]
+
+// ***************************************************
+// ***************************************************
+
+// tag::quickstart-deployment[]
+["source","yaml",subs="attributes"]
+------------------------------------------------------------
+apiVersion: v1
+kind: Service
+metadata:
+  name: fleet-svc
+spec:
+  type: ClusterIP
+  selector:
+    app: fleet-server
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 8220
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fleet-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: fleet-server
+  template:
+    metadata:
+      labels:
+        app: fleet-server
+    spec:
+      automountServiceAccountToken: false
+      containers:
+      - name: elastic-agent
+        image: docker.elastic.co/beats/elastic-agent:{version}
+        env:
+          - name: FLEET_SERVER_ENABLE
+            value: "true"
+          - name: FLEET_SERVER_ELASTICSEARCH_HOST
+            valueFrom:
+              secretKeyRef:
+                name: fleet-server-config
+                key: elastic_endpoint
+          - name: FLEET_SERVER_SERVICE_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: fleet-server-config
+                key: elastic_service_token
+          - name: FLEET_SERVER_POLICY_ID
+            valueFrom:
+              secretKeyRef:
+                name: fleet-server-config
+                key: fleet_policy_id
+          - name: ELASTICSEARCH_CA
+            value: /mnt/certs/es-ca.crt
+        ports:
+        - containerPort: 8220
+          protocol: TCP
+        resources: {}
+        volumeMounts:
+        - name: certs
+          mountPath: /mnt/certs
+          readOnly: true
+      volumes:
+      - name: certs
+        secret:
+          defaultMode: 420
+          optional: false
+          secretName: fleet-server-ssl
+------------------------------------------------------------
+// end::quickstart-deployment[]
+
+// ***************************************************
+// ***************************************************
+
+// tag::production-deployment[]
+["source","yaml",subs="attributes"]
+------------------------------------------------------------
+apiVersion: v1
+kind: Service
+metadata:
+  name: fleet-svc
+spec:
+  type: ClusterIP
+  selector:
+    app: fleet-server
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 8220
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fleet-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: fleet-server
+  template:
+    metadata:
+      labels:
+        app: fleet-server
+    spec:
+      automountServiceAccountToken: false
+      containers:
+      - name: elastic-agent
+        image: docker.elastic.co/beats/elastic-agent:{version}
+        env:
+          - name: FLEET_SERVER_ENABLE
+            value: "true"
+          - name: FLEET_SERVER_ELASTICSEARCH_HOST
+            valueFrom:
+              secretKeyRef:
+                name: fleet-server-config
+                key: elastic_endpoint
+          - name: FLEET_SERVER_SERVICE_TOKEN
+            valueFrom:
+              secretKeyRef:
+                name: fleet-server-config
+                key: elastic_service_token
+          - name: FLEET_SERVER_POLICY_ID
+            valueFrom:
+              secretKeyRef:
+                name: fleet-server-config
+                key: fleet_policy_id
+          - name: ELASTICSEARCH_CA
+            value: /mnt/certs/es-ca.crt
+          - name: FLEET_SERVER_CERT
+            value: /mnt/certs/fleet-server.crt
+          - name: FLEET_SERVER_CERT_KEY
+            value: /mnt/certs/fleet-server.key
+          - name: FLEET_CA
+            value: /mnt/certs/fleet-ca.crt
+          - name: FLEET_URL
+            valueFrom:
+              secretKeyRef:
+                name: fleet-server-ssl
+                key: fleet_url
+          - name: FLEET_SERVER_TIMEOUT
+            value: '60s'
+          - name: FLEET_SERVER_PORT
+            value: '8220'
+        ports:
+        - containerPort: 8220
+          protocol: TCP
+        resources: {}
+        volumeMounts:
+        - name: certs
+          mountPath: /mnt/certs
+          readOnly: true
+      volumes:
+      - name: certs
+        secret:
+          defaultMode: 420
+          optional: false
+          secretName: fleet-server-ssl
+------------------------------------------------------------
+// end::production-deployment[]