Enabling CCS/R between Elasticsearch Service and ECK

edit

These steps describe how to configure remote clusters between an Elasticsearch cluster in Elasticsearch Service and an Elasticsearch cluster running within Elastic Cloud on Kubernetes (ECK). Once that’s done, you’ll be able to run CCS queries from Elasticsearch or set up CCR.

Establish trust between two clusters

edit

The first step is to establish trust between the two clusters.

Establish trust in the Elasticsearch Service cluster

edit
  1. Save the ECK CA certificate to a file. For a cluster named quickstart, run:

    kubectl get secret quickstart-es-transport-certs-public -o go-template='{{index .data "ca.crt" | base64decode}}' > eck.ca.crt
  1. Update the trust settings for the Elasticsearch Service deployment. Follow the steps provided in Access clusters of a self-managed environment, and specifically the first three steps in Specify the deployments trusted to be used as remote clusters using TLS certificate as security model.

    • Use the certificate file saved in the first step.
    • Select the Elastic Cloud pattern and enter default.es.local for the Scope ID.
  2. Select Save and then download the CA Certificate and trust.yml file. These files can also be retrieved in the Security page of the deployment. You will use these files in the next set of steps.

Establish trust in the ECK cluster

edit
  1. Upload the Elasticsearch Service certificate (that you downloaded in the last step of the previous section) as a Kubernetes secret.

    kubectl create secret generic ce-aws-cert --from-file=<path to certificate file>
  2. Upload the trust.yml file (that you downloaded in the last step of the previous section) as a Kubernetes config map.

    kubectl create configmap quickstart-trust --from-file=<path to trust.yml>
  3. Edit the Elasticsearch kubernetes resource to ensure the following sections are included. This assumes the Elasticsearch deployment is named quickstart. Make sure to replace the CA-Certificate-Filename placeholder with the correct value. Note that these configuration changes are required for all nodeSets. Applying this change requires all pods in all nodeSets to be deleted and recreated, which might take quite a while to complete.

    spec:
      nodeSets:
      - config:
           xpack.security.transport.ssl.certificate_authorities:
           - /usr/share/elasticsearch/config/other/<CA-Certificate-Filename>
           xpack.security.transport.ssl.trust_restrictions.path:  /usr/share/elasticsearch/config/trust-filter/trust.yml
        podTemplate:
          spec:
            containers:
            - name: elasticsearch
               volumeMounts:
               - mountPath: /usr/share/elasticsearch/config/other
                  name: ce-aws-cert
               - mountPath: /usr/share/elasticsearch/config/trust-filter
                 name: quickstart-trust
            volumes:
            - name: ce-aws-cert
               secret:
                 secretName: ce-aws-cert
            - configMap:
                 name: quickstart-trust
               name: quickstart-trust

Setup CCS/R

edit

Now that trust has been established, you can set up CCS/R from the ECK cluster to the Elasticsearch Service cluster or from the Elasticsearch Service cluster to the ECK cluster.

ECK Cluster to Elasticsearch Service cluster

edit

Configure the ECK cluster using certificate based authentication.

Elasticsearch Service cluster to ECK Cluster

edit

Follow the steps outlined in the ECK documentation.