From a9db015bef88068b1f3abe91a65795191d6f7ebb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Mon, 9 Jun 2025 11:40:08 +0200 Subject: [PATCH 1/5] remote clusters eck and ech updated --- .../remote-clusters/ec-enable-ccs-for-eck.md | 123 +++++++++++++----- 1 file changed, 88 insertions(+), 35 deletions(-) diff --git a/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md b/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md index ee9bd6382c..9d33fb11bd 100644 --- a/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md +++ b/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md @@ -12,84 +12,137 @@ products: # Remote clusters between {{ech}} and ECK [ec-enable-ccs-for-eck] -These steps describe how to configure remote clusters between an {{es}} cluster in {{ech}} and an {{es}} cluster running within [{{eck}} (ECK)](/deploy-manage/deploy/cloud-on-k8s.md). Once that’s done, you’ll be able to [run CCS queries from {{es}}](/solutions/search/cross-cluster-search.md) or [set up CCR](/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md). +These steps describe how to configure remote clusters between an {{es}} cluster in {{ech}} (ECH) and an {{es}} cluster running within [{{eck}} (ECK)](/deploy-manage/deploy/cloud-on-k8s.md). Once that’s done, you’ll be able to [run CCS queries from {{es}}](/solutions/search/cross-cluster-search.md) or [set up CCR](/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md). ## Establish trust between two clusters [ec_establish_trust_between_two_clusters] -The first step is to establish trust between the two clusters. +The first step is to establish trust between the two clusters, by adding the CA certificate and trust details of each environment into the other. +This guide uses TLS certificates as the security model for remote clusters and follows a similar approach to [Access clusters of a self-managed environment](ec-remote-cluster-self-managed.md). -### Establish trust in the {{ech}} cluster [ec_establish_trust_in_the_elasticsearch_service_cluster] +### Establish trust in the ECH cluster [ec_establish_trust_in_the_elasticsearch_service_cluster] -1. Save the ECK CA certificate to a file. For a cluster named `quickstart`, run: +1. Save the {{es}} transport CA certificate of your ECK deployment. For a cluster named `quickstart`, run: ```sh - kubectl get secret quickstart-es-transport-certs-public -o go-template='{{index .data "ca.crt" | base64decode}}' > eck.ca.crt + kubectl get secret quickstart-es-transport-certs-public -o go-template='{{index .data "ca.crt" | base64decode}}' > eck-ca.crt ``` + This command saves the certificate to `eck-ca.crt`. -1. Update the trust settings for the {{ech}} deployment. Follow the steps provided in [Access clusters of a self-managed environment](ec-remote-cluster-self-managed.md), and specifically the first three steps in **Specify the deployments trusted to be used as remote clusters** using TLS certificate as security model. +2. Update the trust settings for the {{ech}} deployment: - * Use the certificate file saved in the first step. - * Select the {{ecloud}} pattern and enter `default.es.local` for the `Scope ID`. + 1. From the **Security** menu, select **Remote Connections > Add trusted environment**, choose **Self-managed**, and click **Next**. -2. Select `Save` and then download the CA Certificate and `trust.yml` file. These files can also be retrieved in the `Security` page of the deployment. You will use these files in the next set of steps. + 2. Select **Certificates** as authentication mechanism and click **Next**. + 3. In **Add trusted CA certificate**, upload the `eck-ca.crt` file retrieved in the previous step. + + 4. In **Select trusted clusters**, configure the following: + * Select **Trust clusters whose Common Name follows the Elastic pattern**. + * For **Scope ID**, enter `.es.local`, replacing `` with the namespace of your ECK deployment. + * In **Trust**, select **All deployments**. + + 5. In **Name the environment**, enter a name for the trusted environment. That name will appear in the trust summary of your deployment’s **Security** page. + + 6. Select **Create trust** to complete the configuration. + + 7. On the confirmation screen, when prompted **Have you already set up trust from the other environment?**, select **No, I have NOT set up trust from the other environment yet**. Download both the ECH deployment CA certificate and the `trust.yml` file. These files can also be retrieved from the **Security** page of the deployment. You’ll use these files to configure trust in the ECK deployment. ### Establish trust in the ECK cluster [ec_establish_trust_in_the_eck_cluster] -1. Upload the {{ech}} certificate (that you downloaded in the last step of the previous section) as a Kubernetes secret. +1. Edit the `trust.yml` file downloaded in the previous step from the Cloud UI to adapt it to your ECK cluster. The file includes a subject name pattern that is not compatible with ECK. + + Replace the line corresponding to the `Scope ID` you entered when configuring trust in the ECH deployment: + + ```sh + "*.node.*.cluster..es.local.account" + ``` + + with the correct subject name for your ECK cluster, using the following pattern: + + ```sh + "*.node...es.local" + ``` + + ::::{important} + If you don’t update this entry, {{es}} nodes of your ECK deployment may fail to start or join the cluster due to failed trust validation. + :::: + + For example, the original downloaded file might contain: + + ```yaml + trust.subject_name: + - "*.node.2dc556bb4bd040e00d0135683b66a2f6.cluster.1075999151.account" <1> + - "*.node.*.cluster..es.local.account" <2> + ``` + 1. This entry identifies your ECH deployment. Leave it unchanged. + 2. This entry identifies your ECK deployment incorrectly, and must be updated. + + For an ECK cluster named `quickstart` in the `default` namespace, the updated file should look like: + + ```yaml + trust.subject_name: + - "*.node.2dc556bb4bd040e89d0135683b66a2f6.cluster.1075708151.account" + - "*.node.quickstart.default.es.local" + ``` + + Apply the changes and save the `trust.yml` file. + +2. In the same namespace as your {{es}} cluster, upload the ECH CA certificate that you downloaded from the Cloud UI as a Kubernetes Secret: ```sh - kubectl create secret generic ce-aws-cert --from-file= + kubectl create secret generic remote-ech-ca --from-file=ca.crt= -n ``` -2. Upload the `trust.yml` file (that you downloaded in the last step of the previous section) as a Kubernetes config map. +3. In the same namespace as your {{es}} cluster, upload the updated `trust.yml` file as a Kubernetes ConfigMap. For a cluster named `quickstart`, run: ```sh - kubectl create configmap quickstart-trust --from-file= + kubectl create configmap quickstart-trust-ech --from-file=trust.yml= -n ``` -3. Edit the {{es}} kubernetes resource to ensure the following sections are included. This assumes the {{es}} deployment is named `quickstart`. Make sure to replace the `CA-Certificate-Filename` placeholder with the correct value. Note that these configuration changes are required for all `nodeSets`. Applying this change requires all pods in all `nodeSets` to be deleted and recreated, which might take quite a while to complete. +4. Edit the {{es}} Kubernetes resource to include the following configuration. This example assumes that the Kubernetes secret and config map created in the previous steps are named `remote-ech-ca` and `quickstart-trust-ech`, respectively: + + ::::{note} + Apply these changes to all `nodeSets` of your cluster. Updating this configuration will restart all {{es}} pods, which may take some time to complete. + :::: ```yaml spec: nodeSets: - config: - xpack.security.transport.ssl.certificate_authorities: - - /usr/share/elasticsearch/config/other/ - xpack.security.transport.ssl.trust_restrictions.path: /usr/share/elasticsearch/config/trust-filter/trust.yml + xpack.security.transport.ssl.certificate_authorities: + - /usr/share/elasticsearch/config/ech-ca/ca.crt + xpack.security.transport.ssl.trust_restrictions.path: /usr/share/elasticsearch/config/trust-filter/trust.yml podTemplate: spec: containers: - name: elasticsearch - volumeMounts: - - mountPath: /usr/share/elasticsearch/config/other - name: ce-aws-cert - - mountPath: /usr/share/elasticsearch/config/trust-filter - name: quickstart-trust + volumeMounts: + - mountPath: /usr/share/elasticsearch/config/ech-ca + name: remote-ech-ca + - mountPath: /usr/share/elasticsearch/config/trust-filter + name: eck-ech-trust volumes: - - name: ce-aws-cert - secret: - secretName: ce-aws-cert - - configMap: - name: quickstart-trust - name: quickstart-trust + - name: remote-ech-ca + secret: + secretName: remote-ech-ca <1> + - name: eck-ech-trust + configMap: + name: quickstart-trust-ech <2> ``` - - + 1. Ensure `secretName` matches the name of the Secret you created earlier. + 2. Ensure `name` matches the name of the ConfigMap you created earlier. ## Set up CCS/R [ec_setup_ccsr] -Now that trust has been established, you can set up CCS/R from the ECK cluster to the {{ech}} cluster or from the {{ech}} cluster to the ECK cluster. - +Now that trust has been established, you can set up CCS/R from the ECK cluster to the ECH cluster or from the ECH cluster to the ECK cluster. ### ECK Cluster to {{ech}} cluster [ec_eck_cluster_to_elasticsearch_service_cluster] -Configure the ECK cluster [using certificate based authentication](ec-remote-cluster-self-managed.md). - +Configure the ECH deployment as a remote on your ECK cluster following [](ec-remote-cluster-self-managed.md#ec_connect_to_the_remote_cluster_4) steps. ### {{ech}} cluster to ECK Cluster [ec_elasticsearch_service_cluster_to_eck_cluster] -Follow the steps outlined in the [ECK documentation](/deploy-manage/remote-clusters/eck-remote-clusters.md#k8s_configure_the_remote_cluster_connection_through_the_elasticsearch_rest_api). +Follow the steps outlined in the [ECK documentation](/deploy-manage/remote-clusters/eck-remote-clusters.md#k8s_configure_the_remote_cluster_connection_through_the_elasticsearch_rest_api) to expose the transport layer of your ECK cluster, and configure the ECK cluster as a remote of your ECH deployment. From 24811fd401c3eaaa6f8387b364c87beaa7b4565b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Mon, 9 Jun 2025 11:48:54 +0200 Subject: [PATCH 2/5] remote clusters eck and ech updated --- deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md b/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md index 9d33fb11bd..2c90e75426 100644 --- a/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md +++ b/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md @@ -41,7 +41,7 @@ This guide uses TLS certificates as the security model for remote clusters and f 4. In **Select trusted clusters**, configure the following: * Select **Trust clusters whose Common Name follows the Elastic pattern**. - * For **Scope ID**, enter `.es.local`, replacing `` with the namespace of your ECK deployment. + * For **Scope ID**, enter `.es.local`, replacing `` with the namespace of your ECK cluster. * In **Trust**, select **All deployments**. 5. In **Name the environment**, enter a name for the trusted environment. That name will appear in the trust summary of your deployment’s **Security** page. From 9801a5b40a223cc55322f8657f37703652e3f2bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Tue, 17 Jun 2025 09:05:36 +0200 Subject: [PATCH 3/5] minor update --- deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md b/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md index 2c90e75426..476ea632f0 100644 --- a/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md +++ b/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md @@ -19,11 +19,11 @@ These steps describe how to configure remote clusters between an {{es}} cluster The first step is to establish trust between the two clusters, by adding the CA certificate and trust details of each environment into the other. -This guide uses TLS certificates as the security model for remote clusters and follows a similar approach to [Access clusters of a self-managed environment](ec-remote-cluster-self-managed.md). +This guide uses TLS certificates to secure remote cluster connections and follows a similar approach to [Access clusters of a self-managed environment](ec-remote-cluster-self-managed.md). ### Establish trust in the ECH cluster [ec_establish_trust_in_the_elasticsearch_service_cluster] -1. Save the {{es}} transport CA certificate of your ECK deployment. For a cluster named `quickstart`, run: +1. Save the {{es}} transport CA certificate of your ECK deployment. For an {{es}} cluster named `quickstart`, run: ```sh kubectl get secret quickstart-es-transport-certs-public -o go-template='{{index .data "ca.crt" | base64decode}}' > eck-ca.crt From 8c1eecefe93596056873aba7844fff0847a6f229 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Wed, 25 Jun 2025 10:19:24 +0200 Subject: [PATCH 4/5] Apply suggestions from code review Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com> --- .../remote-clusters/ec-enable-ccs-for-eck.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md b/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md index 476ea632f0..205e096425 100644 --- a/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md +++ b/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md @@ -15,7 +15,7 @@ products: These steps describe how to configure remote clusters between an {{es}} cluster in {{ech}} (ECH) and an {{es}} cluster running within [{{eck}} (ECK)](/deploy-manage/deploy/cloud-on-k8s.md). Once that’s done, you’ll be able to [run CCS queries from {{es}}](/solutions/search/cross-cluster-search.md) or [set up CCR](/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md). -## Establish trust between two clusters [ec_establish_trust_between_two_clusters] +## Establish trust between the two clusters [ec_establish_trust_between_two_clusters] The first step is to establish trust between the two clusters, by adding the CA certificate and trust details of each environment into the other. @@ -35,7 +35,7 @@ This guide uses TLS certificates to secure remote cluster connections and follow 1. From the **Security** menu, select **Remote Connections > Add trusted environment**, choose **Self-managed**, and click **Next**. - 2. Select **Certificates** as authentication mechanism and click **Next**. + 2. Select **Certificates** as the authentication mechanism and click **Next**. 3. In **Add trusted CA certificate**, upload the `eck-ca.crt` file retrieved in the previous step. @@ -54,23 +54,23 @@ This guide uses TLS certificates to secure remote cluster connections and follow 1. Edit the `trust.yml` file downloaded in the previous step from the Cloud UI to adapt it to your ECK cluster. The file includes a subject name pattern that is not compatible with ECK. - Replace the line corresponding to the `Scope ID` you entered when configuring trust in the ECH deployment: + Replace the line corresponding to the `Scope ID` you entered when configuring trust in the ECH deployment: ```sh "*.node.*.cluster..es.local.account" ``` - with the correct subject name for your ECK cluster, using the following pattern: + Replace it with the correct subject name for your ECK cluster. The new subject name should use the following pattern: ```sh "*.node...es.local" ``` ::::{important} - If you don’t update this entry, {{es}} nodes of your ECK deployment may fail to start or join the cluster due to failed trust validation. + If you don’t update this entry, {{es}} nodes of your ECK deployment might fail to start or join the cluster due to failed trust validation. :::: - For example, the original downloaded file might contain: + For example, the original downloaded file might contain the following: ```yaml trust.subject_name: @@ -80,7 +80,7 @@ This guide uses TLS certificates to secure remote cluster connections and follow 1. This entry identifies your ECH deployment. Leave it unchanged. 2. This entry identifies your ECK deployment incorrectly, and must be updated. - For an ECK cluster named `quickstart` in the `default` namespace, the updated file should look like: + For an ECK cluster named `quickstart` in the `default` namespace, the updated file should look like the following: ```yaml trust.subject_name: @@ -96,16 +96,16 @@ This guide uses TLS certificates to secure remote cluster connections and follow kubectl create secret generic remote-ech-ca --from-file=ca.crt= -n ``` -3. In the same namespace as your {{es}} cluster, upload the updated `trust.yml` file as a Kubernetes ConfigMap. For a cluster named `quickstart`, run: +3. In the same namespace as your {{es}} cluster, upload the updated `trust.yml` file as a Kubernetes ConfigMap. For a cluster named `quickstart`, run the following command: ```sh kubectl create configmap quickstart-trust-ech --from-file=trust.yml= -n ``` -4. Edit the {{es}} Kubernetes resource to include the following configuration. This example assumes that the Kubernetes secret and config map created in the previous steps are named `remote-ech-ca` and `quickstart-trust-ech`, respectively: +4. Edit the {{es}} Kubernetes resource to reference the new certificate and trust.yml file. This example assumes that the Kubernetes secret and ConfigMap created in the previous steps are named `remote-ech-ca` and `quickstart-trust-ech`, respectively: ::::{note} - Apply these changes to all `nodeSets` of your cluster. Updating this configuration will restart all {{es}} pods, which may take some time to complete. + Apply these changes to all `nodeSets` of your cluster. Updating this configuration will restart all {{es}} pods, which might take some time to complete. :::: ```yaml From 19130d4f96a0f2c58fc355842e10be634a8f024b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edu=20Gonz=C3=A1lez=20de=20la=20Herr=C3=A1n?= <25320357+eedugon@users.noreply.github.com> Date: Wed, 25 Jun 2025 13:00:42 +0200 Subject: [PATCH 5/5] edit trust moved to its own heading --- .../remote-clusters/ec-enable-ccs-for-eck.md | 69 ++++++++++--------- 1 file changed, 38 insertions(+), 31 deletions(-) diff --git a/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md b/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md index 205e096425..71de1e8bad 100644 --- a/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md +++ b/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md @@ -23,6 +23,8 @@ This guide uses TLS certificates to secure remote cluster connections and follow ### Establish trust in the ECH cluster [ec_establish_trust_in_the_elasticsearch_service_cluster] +To configure trust in the ECH deployment: + 1. Save the {{es}} transport CA certificate of your ECK deployment. For an {{es}} cluster named `quickstart`, run: ```sh @@ -50,59 +52,64 @@ This guide uses TLS certificates to secure remote cluster connections and follow 7. On the confirmation screen, when prompted **Have you already set up trust from the other environment?**, select **No, I have NOT set up trust from the other environment yet**. Download both the ECH deployment CA certificate and the `trust.yml` file. These files can also be retrieved from the **Security** page of the deployment. You’ll use these files to configure trust in the ECK deployment. -### Establish trust in the ECK cluster [ec_establish_trust_in_the_eck_cluster] +### Update the downloaded `trust.yml` file for ECK compatibility -1. Edit the `trust.yml` file downloaded in the previous step from the Cloud UI to adapt it to your ECK cluster. The file includes a subject name pattern that is not compatible with ECK. +The `trust.yml` file you downloaded from the Cloud UI includes a subject name pattern that isn't valid for your ECK cluster. Before using it in your ECK cluster, you need to update the file with the pattern that matches your cluster. - Replace the line corresponding to the `Scope ID` you entered when configuring trust in the ECH deployment: +Replace the line corresponding to the `Scope ID` you entered when configuring trust in the ECH deployment: - ```sh - "*.node.*.cluster..es.local.account" - ``` +```sh +"*.node.*.cluster..es.local.account" +``` - Replace it with the correct subject name for your ECK cluster. The new subject name should use the following pattern: +Replace it with the correct subject name for your ECK cluster. The new subject name should use the following pattern: - ```sh - "*.node...es.local" - ``` +```sh +"*.node...es.local" +``` - ::::{important} - If you don’t update this entry, {{es}} nodes of your ECK deployment might fail to start or join the cluster due to failed trust validation. - :::: +::::{important} +If you don’t update this entry, {{es}} nodes of your ECK deployment might fail to start or join the cluster due to failed trust validation. +:::: - For example, the original downloaded file might contain the following: +For example, the original downloaded file might contain the following: - ```yaml - trust.subject_name: - - "*.node.2dc556bb4bd040e00d0135683b66a2f6.cluster.1075999151.account" <1> - - "*.node.*.cluster..es.local.account" <2> - ``` - 1. This entry identifies your ECH deployment. Leave it unchanged. - 2. This entry identifies your ECK deployment incorrectly, and must be updated. +```yaml +trust.subject_name: + - "*.node.2dc556bb4bd040e00d0135683b66a2f6.cluster.1075999151.account" <1> + - "*.node.*.cluster..es.local.account" <2> +``` +1. This entry identifies your ECH deployment. Leave it unchanged. +2. This entry identifies your ECK deployment incorrectly, and must be updated. - For an ECK cluster named `quickstart` in the `default` namespace, the updated file should look like the following: +For an ECK cluster named `quickstart` in the `default` namespace, the updated file should look like the following: - ```yaml - trust.subject_name: - - "*.node.2dc556bb4bd040e89d0135683b66a2f6.cluster.1075708151.account" - - "*.node.quickstart.default.es.local" - ``` +```yaml +trust.subject_name: + - "*.node.2dc556bb4bd040e89d0135683b66a2f6.cluster.1075708151.account" + - "*.node.quickstart.default.es.local" +``` + +Apply the changes and save the `trust.yml` file. + + +### Establish trust in the ECK cluster [ec_establish_trust_in_the_eck_cluster] - Apply the changes and save the `trust.yml` file. +To configure trust in the ECK deployment: -2. In the same namespace as your {{es}} cluster, upload the ECH CA certificate that you downloaded from the Cloud UI as a Kubernetes Secret: +1. In the same namespace as your {{es}} cluster, upload the ECH CA certificate that you downloaded from the Cloud UI as a Kubernetes secret: ```sh kubectl create secret generic remote-ech-ca --from-file=ca.crt= -n ``` -3. In the same namespace as your {{es}} cluster, upload the updated `trust.yml` file as a Kubernetes ConfigMap. For a cluster named `quickstart`, run the following command: +2. In the same namespace as your {{es}} cluster, upload the updated `trust.yml` file as a Kubernetes config map. For a cluster named `quickstart`, run the following command: ```sh kubectl create configmap quickstart-trust-ech --from-file=trust.yml= -n ``` -4. Edit the {{es}} Kubernetes resource to reference the new certificate and trust.yml file. This example assumes that the Kubernetes secret and ConfigMap created in the previous steps are named `remote-ech-ca` and `quickstart-trust-ech`, respectively: +3. Edit the {{es}} Kubernetes resource to reference the ECH CA certificate and trust.yml file. This example assumes that the Kubernetes secret and config map created in the previous steps are named `remote-ech-ca` and `quickstart-trust-ech`, respectively: ::::{note} Apply these changes to all `nodeSets` of your cluster. Updating this configuration will restart all {{es}} pods, which might take some time to complete.