-
Notifications
You must be signed in to change notification settings - Fork 685
/
es-secure-settings.asciidoc
75 lines (62 loc) · 2.58 KB
/
es-secure-settings.asciidoc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
:parent_page_id: elasticsearch-specification
:page_id: es-secure-settings
ifdef::env-github[]
****
link:https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-{parent_page_id}.html#k8s-{page_id}[View this document on the Elastic website]
****
endif::[]
[id="{p}-{page_id}"]
= Secure settings
You can specify link:https://www.elastic.co/guide/en/elasticsearch/reference/current/secure-settings.html[secure settings] with Kubernetes secrets.
The secrets should contain a key-value pair for each secure setting you want to add. ECK automatically injects these settings into the keystore on each Elasticsearch node before it starts Elasticsearch.
It is possible to reference several secrets:
[source,yaml]
----
spec:
secureSettings:
- secretName: one-secure-settings-secret
- secretName: two-secure-settings-secret
----
For the following secret, a `gcs.client.default.credentials_file` key will be created in Elasticsearch's keystore with the provided value:
[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
name: one-secure-settings-secret
type: Opaque
data:
gcs.client.default.credentials_file: RWxhc3RpYyBDbG91ZCBvbiBLOHMgKEVDSykK
----
You can export a subset of secret keys and also project keys to specific paths using the `entries`, `key` and `path` fields:
[source,yaml]
----
spec:
secureSettings:
- secretName: gcs-secure-settings
entries:
- key: gcs.client.default.credentials_file
- key: gcs_client_1
path: gcs.client.client_1.credentials_file
- key: gcs_client_2
path: gcs.client.client_2.credentials_file
----
For the three entries listed in the `gcs-secure-settings` secret, three keys are created in Elasticsearch's keystore:
- `gcs.client.default.credentials_file`
- `gcs.client.client_1.credentials_file`
- `gcs.client.client_2.credentials_file`
The referenced `gcs-secure-settings` secret now looks like this:
[source,yaml]
----
apiVersion: v1
kind: Secret
metadata:
name: gcs-secure-settings
type: Opaque
data:
gcs.client.default.credentials_file: RWxhc3RpYyBDbG91ZCBvbiBLOHMgKEVDSykK
gcs_client_1: RWxhc3RpYyBDbG91ZCBvbiBLOHMgKEVDSykgLSBHQ1MgY2xpZW50IDEK
gcs_client_2: RWxhc3RpYyBDbG91ZCBvbiBLOHMgKEVDSykgLSBHQ1MgY2xpZW50IDIK
----
Check <<{p}-snapshots,How to create automated snapshots>> for an example use case.
WARNING: If using <<{p}-advanced-node-scheduling>> in conjunction with secure settings, you have to add an `initContainers` section to the `podTemplate` to ensure all the required environment variables exist for the initialization of the keystore. Refer to <<{p}-availability-zone-awareness-example,Zone Awareness>> for a complete example.