- Elastic Cloud on Kubernetes:
- Overview
- Quickstart
- Operating ECK
- Orchestrating Elastic Stack applications
- Run Elasticsearch on ECK
- JVM heap size
- Node configuration
- Volume claim templates
- Storage recommendations
- HTTP settings and TLS SANs
- Transport settings
- Virtual memory
- Settings managed by ECK
- Secure settings
- Custom configuration files and plugins
- Init containers for plugin downloads
- Update strategy
- Pod disruption budget
- Nodes orchestration
- Advanced Elasticsearch node scheduling
- Create automated snapshots
- Remote clusters
- Readiness probe
- Pod PreStop hook
- Run Kibana on ECK
- Run APM Server on ECK
- Run Elastic Agent on ECK
- Run Enterprise Search on ECK
- Run Beats on ECK
- Secure the Elastic Stack
- Access Elastic Stack services
- Customize Pods
- Manage compute resources
- Upgrade the Elastic Stack version
- Run Elasticsearch on ECK
- Advanced topics
- Reference
- API Reference
- agent.k8s.elastic.co/v1alpha1
- apm.k8s.elastic.co/v1
- apm.k8s.elastic.co/v1beta1
- beat.k8s.elastic.co/v1beta1
- common.k8s.elastic.co/v1
- common.k8s.elastic.co/v1beta1
- elasticsearch.k8s.elastic.co/v1
- elasticsearch.k8s.elastic.co/v1beta1
- enterprisesearch.k8s.elastic.co/v1beta1
- kibana.k8s.elastic.co/v1
- kibana.k8s.elastic.co/v1beta1
- Glossary
- Third-party dependencies
- API Reference
- Release highlights
- 1.4.1 release highlights
- 1.4.0 release highlights
- 1.3.2 release highlights
- 1.3.1 release highlights
- 1.3.0 release highlights
- 1.2.2 release highlights
- 1.2.1 release highlights
- 1.2.0 release highlights
- 1.1.2 release highlights
- 1.1.1 release highlights
- 1.1.0 release highlights
- 1.0.1 release highlights
- 1.0.0 release highlights
- 1.0.0-beta1 release highlights
- Release notes
- Elastic Cloud on Kubernetes version 1.4.1
- Elastic Cloud on Kubernetes version 1.4.0
- Elastic Cloud on Kubernetes version 1.3.2
- Elastic Cloud on Kubernetes version 1.3.1
- Elastic Cloud on Kubernetes version 1.3.0
- Elastic Cloud on Kubernetes version 1.2.2
- Elastic Cloud on Kubernetes version 1.2.1
- Elastic Cloud on Kubernetes version 1.2.0
- Elastic Cloud on Kubernetes version 1.1.2
- Elastic Cloud on Kubernetes version 1.1.1
- Elastic Cloud on Kubernetes version 1.1.0
- Elastic Cloud on Kubernetes version 1.0.1
- Elastic Cloud on Kubernetes version 1.0.0
- Elastic Cloud on Kubernetes version 1.0.0-beta1
TLS certificates
editTLS certificates
editThis section only covers TLS certificates for the HTTP layer. TLS certificates for the transport layer that are used for internal communications between Elasticsearch nodes are managed by ECK and cannot be changed.
Default self-signed certificate
editBy default, the operator manages a self-signed certificate with a custom CA for each resource.
The CA, the certificate and the private key are each stored in a separate Secret
.
> kubectl get secret | grep es-http hulk-es-http-ca-internal Opaque 2 28m hulk-es-http-certs-internal Opaque 2 28m hulk-es-http-certs-public Opaque 1 28m
The public certificate is stored in a secret named <name>-[es|kb|apm|ent]-http-certs-public
.
> kubectl get secret hulk-es-http-certs-public -o go-template='{{index .data "tls.crt" | base64decode }}' -----BEGIN CERTIFICATE----- MIIDQDCCAiigAwIBAgIQHC4O/RWX15a3/P3upsm3djANBgkqhkiG9w0BAQsFADA6 ... QLYL4zLEby3vRxq65+xofVBJAaM= -----END CERTIFICATE-----
Reserve static IP and custom domain
editTo use a custom domain name with the self-signed certificate, you can reserve a static IP and/or use an Ingress instead of a LoadBalancer
Service
. Whatever you use, your DNS must be added to the certificate SAN in the spec.http.tls.selfSignedCertificate.subjectAltNames
section of your Elastic resource manifest.
spec: http: service: spec: type: LoadBalancer tls: selfSignedCertificate: subjectAltNames: - ip: 160.46.176.15 - dns: hulk.example.com
Setup your own certificate
editYou can bring your own certificate to configure TLS to ensure that communication between HTTP clients and the cluster is encrypted.
Create a Kubernetes secret with:
-
ca.crt
: CA certificate (optional iftls.crt
was issued by a well-known CA). -
tls.crt
: The certificate. -
tls.key
: The private key to the first certificate in the certificate chain.
kubectl create secret generic my-cert --from-file=ca.crt=tls.crt --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key
Then, you have to reference the secret name in the http.tls.certificate
section of the resource manifest.
spec: http: tls: certificate: secretName: my-cert
Disable TLS
editYou can explicitly disable TLS for Kibana, APM Server, Enterprise Search and the HTTP layer of Elasticsearch.
spec: http: tls: selfSignedCertificate: disabled: true
On this page