Enabling CCS/R between Elasticsearch Service and ECK
editEnabling CCS/R between Elasticsearch Service and ECK
editThese steps describe how to configure remote clusters between an Elasticsearch cluster in Elasticsearch Service and an Elasticsearch cluster running within Elastic Cloud on Kubernetes (ECK). Once that’s done, you’ll be able to run CCS queries from Elasticsearch or set up CCR.
Establish trust between two clusters
editThe first step is to establish trust between the two clusters.
Establish trust in the Elasticsearch Service cluster
edit-
Save the ECK CA certificate to a file. For a cluster named
quickstart
, run:kubectl get secret quickstart-es-transport-certs-public -o go-template='{{index .data "ca.crt" | base64decode}}' > eck.ca.crt
-
Update the trust settings for the Elasticsearch Service deployment. Follow the steps provided in Access clusters of a self-managed environment, and specifically the first three steps in Specify the deployments trusted to be used as remote clusters using TLS certificate as security model.
- Use the certificate file saved in the first step.
-
Select the Elastic Cloud pattern and enter
default.es.local
for theScope ID
.
-
Select
Save
and then download the CA Certificate andtrust.yml
file. These files can also be retrieved in theSecurity
page of the deployment. You will use these files in the next set of steps.
Establish trust in the ECK cluster
edit-
Upload the Elasticsearch Service certificate (that you downloaded in the last step of the previous section) as a Kubernetes secret.
kubectl create secret generic ce-aws-cert --from-file=<path to certificate file>
-
Upload the
trust.yml
file (that you downloaded in the last step of the previous section) as a Kubernetes config map.kubectl create configmap quickstart-trust --from-file=<path to trust.yml>
-
Edit the Elasticsearch kubernetes resource to ensure the following sections are included. This assumes the Elasticsearch deployment is named
quickstart
. Make sure to replace theCA-Certificate-Filename
placeholder with the correct value. Note that these configuration changes are required for allnodeSets
. Applying this change requires all pods in allnodeSets
to be deleted and recreated, which might take quite a while to complete.spec: nodeSets: - config: xpack.security.transport.ssl.certificate_authorities: - /usr/share/elasticsearch/config/other/<CA-Certificate-Filename> xpack.security.transport.ssl.trust_restrictions.path: /usr/share/elasticsearch/config/trust-filter/trust.yml podTemplate: spec: containers: - name: elasticsearch volumeMounts: - mountPath: /usr/share/elasticsearch/config/other name: ce-aws-cert - mountPath: /usr/share/elasticsearch/config/trust-filter name: quickstart-trust volumes: - name: ce-aws-cert secret: secretName: ce-aws-cert - configMap: name: quickstart-trust name: quickstart-trust
Setup CCS/R
editNow that trust has been established, you can set up CCS/R from the ECK cluster to the Elasticsearch Service cluster or from the Elasticsearch Service cluster to the ECK cluster.
ECK Cluster to Elasticsearch Service cluster
editConfigure the ECK cluster using certificate based authentication.
Elasticsearch Service cluster to ECK Cluster
editFollow the steps outlined in the ECK documentation.