Rotate auto-generated credentials

edit

When deploying an Elastic Stack application, the operator generates a set of credentials essential for the operation of that application. Examples of these generated credentials include the default elastic user for Elasticsearch and the security token for APM Server. You can list all auto-generated credentials in a namespace by running the following command:

kubectl get secret -l eck.k8s.elastic.co/credentials=true

You can force the auto-generated credentials to be regenerated with new values by simply deleting the appropriate Secret. For example, to change the password for the elastic user from the quickstart example, execute the following command:

kubectl delete secret quickstart-es-elastic-user

If you are using the elastic user credentials in your own applications, they will fail to connect to Elasticsearch and Kibana after the above step. It is not recommended to use elastic user credentials for production use cases. Always create your own users with restricted roles to access Elasticsearch.

You can regenerate all auto-generated credentials in a namespace by executing the following command:

kubectl delete secret -l eck.k8s.elastic.co/credentials=true

The above command regenerates auto-generated credentials of all Elastic Stack applications in the namespace.