Remote clusters
editRemote clusters
editThe remote clusters module in Elasticsearch enables you to establish uni-directional connections to a remote cluster. This functionality is used in cross-cluster replication and cross-cluster search.
When using remote cluster connections with ECK, the setup process depends on where the remote cluster is deployed.
Connect from an Elasticsearch cluster running in the same Kubernetes cluster
editThe remote clusters feature requires a valid Enterprise license or Enterprise trial license. Check the license documentation for more details about managing licenses.
To create a remote cluster connection to another Elasticsearch cluster deployed within the same Kubernetes cluster, specify the remoteClusters
attribute in your Elasticsearch spec.
Security Models
editECK supports two different security models: the API key based security model, and the certificate security model. These two security models are described in the Remote clusters section of the Elasticsearch documentation.
Using the API key security model
editTo enable the API key security model you must first enable the remote cluster server on the remote Elasticsearch cluster:
apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: cluster-two namespace: ns-two spec: version: 8.16.1 remoteClusterServer: enabled: true nodeSets: - name: default count: 3
Enabling the remote cluster server triggers a restart of the Elasticsearch cluster.
Once the remote cluster server is enabled and started on the remote cluster you can configure the Elasticsearch reference on the local cluster to include the desired permissions for cross-cluster search, and cross-cluster replication.
Permissions have to be included under the apiKey
field. The API model of the Elasticsearch resource is compatible with the Elasticsearch Cross-Cluster API key API model. Fine-grained permissions can therefore be configured in both the search
and replication
fields:
apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: cluster-one namespace: ns-one spec: nodeSets: - count: 3 name: default remoteClusters: - name: cluster-two elasticsearchRef: name: cluster-two namespace: ns-two apiKey: access: search: names: - kibana_sample_data_ecommerce replication: names: - kibana_sample_data_ecommerce version: 8.16.1
This requires the sample data: https://www.elastic.co/guide/en/kibana/current/get-started.html#gs-get-data-into-kibana |
You can find a complete example in the recipes directory.
Using the certificate security model
editThe following example describes how to configure cluster-two
as a remote cluster in cluster-one
using the certificate security model:
Connect from an Elasticsearch cluster running outside the Kubernetes cluster
editWhile it is technically possible to configure remote cluster connections using older versions of Elasticsearch, this guide only covers the setup for Elasticsearch 7.6 and later. The setup process is significantly simplified in Elasticsearch 7.6 due to improved support for the indirection of Kubernetes services.
You can configure a remote cluster connection to an ECK-managed Elasticsearch cluster from another cluster running outside the Kubernetes cluster as follows:
- Make sure that both clusters trust each other’s certificate authority.
- Configure the remote cluster connection through the Elasticsearch REST API.
Consider the following example:
-
cluster-one
resides inside Kubernetes and is managed by ECK -
cluster-two
is not hosted inside the same Kubernetes cluster ascluster-one
and may not even be managed by ECK
To configure cluster-one
as a remote cluster in cluster-two
:
Make sure both clusters trust each other’s certificate authority
editThe certificate authority (CA) used by ECK to issue certificates for the Elasticsearch transport layer is stored in a secret named <cluster_name>-es-transport-certs-public
. Extract the certificate for cluster-one
as follows:
kubectl get secret cluster-one-es-transport-certs-public \ -o go-template='{{index .data "ca.crt" | base64decode}}' > remote.ca.crt
You then need to configure the CA as one of the trusted CAs in cluster-two
. If that cluster is hosted outside of Kubernetes, take the CA certificate that you have just extracted and add it to the list of CAs in xpack.security.transport.ssl.certificate_authorities
.
Beware of copying the source Secret as-is into a different namespace. Check Common Problems: Owner References for more information.
CA certificates are automatically rotated after one year by default. You can configure this period. Make sure to keep the copy of the certificates Secret up-to-date.
If cluster-two
is also managed by an ECK instance, proceed as follows:
-
Create a config map with the CA certificate you just extracted:
kubectl create configmap remote-certs --from-file=ca.crt=remote.ca.crt
-
Use this config map to configure
cluster-one
's CA as a trusted CA incluster-two
:apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: cluster-two spec: transport: tls: certificateAuthorities: configMapName: remote-certs nodeSets: - count: 3 name: default version: 8.16.1
-
Repeat steps 1 and 2 to add the CA of
cluster-two
tocluster-one
as well.
Configure the remote cluster connection through the Elasticsearch REST API
editExpose the transport layer of cluster-one
.
apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: cluster-one spec: transport: service: spec: type: LoadBalancer
On cloud providers which support external load balancers, setting the type field to LoadBalancer provisions a load balancer for your Service. Alternatively, expose the service through one of the Kubernetes Ingress controllers that support TCP services. |
Finally, configure cluster-one
as a remote cluster in cluster-two
using the Elasticsearch REST API:
PUT _cluster/settings { "persistent": { "cluster": { "remote": { "cluster-one": { "mode": "proxy", "proxy_address": "${LOADBALANCER_IP}:9300" } } } } }
Use "proxy" mode as |
|
Replace |