Skip to content

ECH/ECK remote clusters doc is incorrect for trust.yml #1647

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Jun 26, 2025
Merged

ECH/ECK remote clusters doc is incorrect for trust.yml #1647

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
a9db015
remote clusters eck and ech updated
eedugon Jun 9, 2025
24811fd
remote clusters eck and ech updated
eedugon Jun 9, 2025
9801a5b
minor update
eedugon Jun 17, 2025
ffd1409
Merge branch 'main' into eck_trust_ech_fix
eedugon Jun 17, 2025
8c1eece
Apply suggestions from code review
eedugon Jun 25, 2025
19130d4
edit trust moved to its own heading
eedugon Jun 25, 2025
4cc5f1e
Merge branch 'main' into eck_trust_ech_fix
eedugon Jun 25, 2025
cf04753
Merge branch 'main' into eck_trust_ech_fix
eedugon Jun 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 96 additions & 36 deletions deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,84 +12,144 @@ products:

# Remote clusters between {{ech}} and ECK [ec-enable-ccs-for-eck]

These steps describe how to configure remote clusters between an {{es}} cluster in {{ech}} and an {{es}} cluster running within [{{eck}} (ECK)](/deploy-manage/deploy/cloud-on-k8s.md). Once that’s done, you’ll be able to [run CCS queries from {{es}}](/solutions/search/cross-cluster-search.md) or [set up CCR](/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md).
These steps describe how to configure remote clusters between an {{es}} cluster in {{ech}} (ECH) and an {{es}} cluster running within [{{eck}} (ECK)](/deploy-manage/deploy/cloud-on-k8s.md). Once that’s done, you’ll be able to [run CCS queries from {{es}}](/solutions/search/cross-cluster-search.md) or [set up CCR](/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md).


## Establish trust between two clusters [ec_establish_trust_between_two_clusters]
## Establish trust between the two clusters [ec_establish_trust_between_two_clusters]

The first step is to establish trust between the two clusters.
The first step is to establish trust between the two clusters, by adding the CA certificate and trust details of each environment into the other.

This guide uses TLS certificates to secure remote cluster connections and follows a similar approach to [Access clusters of a self-managed environment](ec-remote-cluster-self-managed.md).

### Establish trust in the {{ech}} cluster [ec_establish_trust_in_the_elasticsearch_service_cluster]
### Establish trust in the ECH cluster [ec_establish_trust_in_the_elasticsearch_service_cluster]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: an intro sentence before a procedure is nice


1. Save the ECK CA certificate to a file. For a cluster named `quickstart`, run:
To configure trust in the ECH deployment:

1. Save the {{es}} transport CA certificate of your ECK deployment. For an {{es}} cluster named `quickstart`, run:

```sh
kubectl get secret quickstart-es-transport-certs-public -o go-template='{{index .data "ca.crt" | base64decode}}' > eck.ca.crt
kubectl get secret quickstart-es-transport-certs-public -o go-template='{{index .data "ca.crt" | base64decode}}' > eck-ca.crt
```

This command saves the certificate to `eck-ca.crt`.

2. Update the trust settings for the {{ech}} deployment:

1. From the **Security** menu, select **Remote Connections > Add trusted environment**, choose **Self-managed**, and click **Next**.

2. Select **Certificates** as the authentication mechanism and click **Next**.

3. In **Add trusted CA certificate**, upload the `eck-ca.crt` file retrieved in the previous step.

4. In **Select trusted clusters**, configure the following:
* Select **Trust clusters whose Common Name follows the Elastic pattern**.
* For **Scope ID**, enter `<kubernetes-namespace>.es.local`, replacing `<kubernetes-namespace>` with the namespace of your ECK cluster.
* In **Trust**, select **All deployments**.

5. In **Name the environment**, enter a name for the trusted environment. That name will appear in the trust summary of your deployment’s **Security** page.

6. Select **Create trust** to complete the configuration.

7. On the confirmation screen, when prompted **Have you already set up trust from the other environment?**, select **No, I have NOT set up trust from the other environment yet**. Download both the ECH deployment CA certificate and the `trust.yml` file. These files can also be retrieved from the **Security** page of the deployment. You’ll use these files to configure trust in the ECK deployment.

### Update the downloaded `trust.yml` file for ECK compatibility

The `trust.yml` file you downloaded from the Cloud UI includes a subject name pattern that isn't valid for your ECK cluster. Before using it in your ECK cluster, you need to update the file with the pattern that matches your cluster.

Replace the line corresponding to the `Scope ID` you entered when configuring trust in the ECH deployment:

1. Update the trust settings for the {{ech}} deployment. Follow the steps provided in [Access clusters of a self-managed environment](ec-remote-cluster-self-managed.md), and specifically the first three steps in **Specify the deployments trusted to be used as remote clusters** using TLS certificate as security model.
```sh
"*.node.*.cluster.<kubernetes-namespace>.es.local.account"
```

* Use the certificate file saved in the first step.
* Select the {{ecloud}} pattern and enter `default.es.local` for the `Scope ID`.
Replace it with the correct subject name for your ECK cluster. The new subject name should use the following pattern:

2. Select `Save` and then download the CA Certificate and `trust.yml` file. These files can also be retrieved in the `Security` page of the deployment. You will use these files in the next set of steps.
```sh
"*.node.<cluster-name>.<kubernetes-namespace>.es.local"
```

::::{important}
If you don’t update this entry, {{es}} nodes of your ECK deployment might fail to start or join the cluster due to failed trust validation.
::::

For example, the original downloaded file might contain the following:

```yaml
trust.subject_name:
- "*.node.2dc556bb4bd040e00d0135683b66a2f6.cluster.1075999151.account" <1>
- "*.node.*.cluster.<kubernetes-namespace>.es.local.account" <2>
```
1. This entry identifies your ECH deployment. Leave it unchanged.
2. This entry identifies your ECK deployment incorrectly, and must be updated.

For an ECK cluster named `quickstart` in the `default` namespace, the updated file should look like the following:

```yaml
trust.subject_name:
- "*.node.2dc556bb4bd040e89d0135683b66a2f6.cluster.1075708151.account"
- "*.node.quickstart.default.es.local"
```

Apply the changes and save the `trust.yml` file.


### Establish trust in the ECK cluster [ec_establish_trust_in_the_eck_cluster]

1. Upload the {{ech}} certificate (that you downloaded in the last step of the previous section) as a Kubernetes secret.
To configure trust in the ECK deployment:

1. In the same namespace as your {{es}} cluster, upload the ECH CA certificate that you downloaded from the Cloud UI as a Kubernetes secret:

```sh
kubectl create secret generic ce-aws-cert --from-file=<path to certificate file>
kubectl create secret generic remote-ech-ca --from-file=ca.crt=<path-to-CA-certificate-file> -n <namespace>
```

2. Upload the `trust.yml` file (that you downloaded in the last step of the previous section) as a Kubernetes config map.
2. In the same namespace as your {{es}} cluster, upload the updated `trust.yml` file as a Kubernetes config map. For a cluster named `quickstart`, run the following command:

```sh
kubectl create configmap quickstart-trust --from-file=<path to trust.yml>
kubectl create configmap quickstart-trust-ech --from-file=trust.yml=<path-to-trust.yml> -n <namespace>
```

3. Edit the {{es}} kubernetes resource to ensure the following sections are included. This assumes the {{es}} deployment is named `quickstart`. Make sure to replace the `CA-Certificate-Filename` placeholder with the correct value. Note that these configuration changes are required for all `nodeSets`. Applying this change requires all pods in all `nodeSets` to be deleted and recreated, which might take quite a while to complete.
3. Edit the {{es}} Kubernetes resource to reference the ECH CA certificate and trust.yml file. This example assumes that the Kubernetes secret and config map created in the previous steps are named `remote-ech-ca` and `quickstart-trust-ech`, respectively:

::::{note}
Apply these changes to all `nodeSets` of your cluster. Updating this configuration will restart all {{es}} pods, which might take some time to complete.
::::

```yaml
spec:
nodeSets:
- config:
xpack.security.transport.ssl.certificate_authorities:
- /usr/share/elasticsearch/config/other/<CA-Certificate-Filename>
xpack.security.transport.ssl.trust_restrictions.path: /usr/share/elasticsearch/config/trust-filter/trust.yml
xpack.security.transport.ssl.certificate_authorities:
- /usr/share/elasticsearch/config/ech-ca/ca.crt
xpack.security.transport.ssl.trust_restrictions.path: /usr/share/elasticsearch/config/trust-filter/trust.yml
podTemplate:
spec:
containers:
- name: elasticsearch
volumeMounts:
- mountPath: /usr/share/elasticsearch/config/other
name: ce-aws-cert
- mountPath: /usr/share/elasticsearch/config/trust-filter
name: quickstart-trust
volumeMounts:
- mountPath: /usr/share/elasticsearch/config/ech-ca
name: remote-ech-ca
- mountPath: /usr/share/elasticsearch/config/trust-filter
name: eck-ech-trust
volumes:
- name: ce-aws-cert
secret:
secretName: ce-aws-cert
- configMap:
name: quickstart-trust
name: quickstart-trust
- name: remote-ech-ca
secret:
secretName: remote-ech-ca <1>
- name: eck-ech-trust
configMap:
name: quickstart-trust-ech <2>
```


1. Ensure `secretName` matches the name of the Secret you created earlier.
2. Ensure `name` matches the name of the ConfigMap you created earlier.

## Set up CCS/R [ec_setup_ccsr]

Now that trust has been established, you can set up CCS/R from the ECK cluster to the {{ech}} cluster or from the {{ech}} cluster to the ECK cluster.

Now that trust has been established, you can set up CCS/R from the ECK cluster to the ECH cluster or from the ECH cluster to the ECK cluster.

### ECK Cluster to {{ech}} cluster [ec_eck_cluster_to_elasticsearch_service_cluster]

Configure the ECK cluster [using certificate based authentication](ec-remote-cluster-self-managed.md).

Configure the ECH deployment as a remote on your ECK cluster following [](ec-remote-cluster-self-managed.md#ec_connect_to_the_remote_cluster_4) steps.

### {{ech}} cluster to ECK Cluster [ec_elasticsearch_service_cluster_to_eck_cluster]

Follow the steps outlined in the [ECK documentation](/deploy-manage/remote-clusters/eck-remote-clusters.md#k8s_configure_the_remote_cluster_connection_through_the_elasticsearch_rest_api).
Follow the steps outlined in the [ECK documentation](/deploy-manage/remote-clusters/eck-remote-clusters.md#k8s_configure_the_remote_cluster_connection_through_the_elasticsearch_rest_api) to expose the transport layer of your ECK cluster, and configure the ECK cluster as a remote of your ECH deployment.
Loading