From ee15eccec1b4fca1767263461eb69b609e5c8373 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Fri, 3 Oct 2025 14:44:32 -0500 Subject: [PATCH 01/16] Add documentation for managing ECK file-based password length. Signed-off-by: Michael Montgomery --- .../managed-credentials-eck.md | 81 ++++++++++++++++++- 1 file changed, 79 insertions(+), 2 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index a43aa6b69d..481913e5f0 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -62,7 +62,6 @@ kubectl delete secret quickstart-es-elastic-user If you are using the `elastic` user credentials in your own applications, they will fail to connect to {{es}} and {{kib}} after you run this command. It is not recommended to use `elastic` user credentials for production use cases. Always [create your own users with restricted roles](../../../deploy-manage/users-roles/cluster-or-deployment-auth/native.md) to access {{es}}. :::: - To regenerate all auto-generated credentials in a namespace, run the following command: ```sh @@ -99,4 +98,82 @@ For more information, refer to [External authentication](/deploy-manage/users-ro ECK facilitates file-based role management through Kubernetes secrets containing the roles specification. Alternatively, you can use the Role management API or the Role management UI in {{kib}}. -Refer to [Managing custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#managing-custom-roles) for details and ECK based examples. \ No newline at end of file +## Controlling the length of ECK-generated passwords + +```{applies_to} + eck: ga 3.2 +``` + +With an enterprise license users can control the password length of the file-based passwords generated by {{eck}}. + +:::{note} +In {{eck}} 3.1 and earlier all file-based passwords are 24 characters long. +::: + +### Controlling the length of passwords in Helm installations + +If you installed {{eck}} through the Helm chart commands listed in [](../../deploy/cloud-on-k8s/install-using-helm-chart.md), you can set `config.policies.passwords.length` to control the length of generated file-based passwords. + +For example: +```shell +helm upgrade -i eck-operator -n elastic-system --set=config.policies.passwords.length=64 +``` + +This will cause any new file-based passwords that are generated to be a length of 64. + +::: {note} +This will not cause existing passwords to be changed. To change existing password refer to [Rotating credentials](k8s-rotate-credentials) +::: + +### Using the operator manifests + +If you installed ECK through using the manifests using the commands listed in [](../../deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), some additional changes are required to control password length. + +1. Set the `password-length` in the `ConfigMap`. + +```yaml +cat < Date: Mon, 6 Oct 2025 08:42:20 -0500 Subject: [PATCH 02/16] wording changes. Signed-off-by: Michael Montgomery --- .../cluster-or-deployment-auth/managed-credentials-eck.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index 481913e5f0..5acc4fd5ec 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -127,7 +127,7 @@ This will not cause existing passwords to be changed. To change existing passwor ### Using the operator manifests -If you installed ECK through using the manifests using the commands listed in [](../../deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), some additional changes are required to control password length. +If you installed ECK through using the manifests using the commands listed in [](../../deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), a manual update to the `ConfigMap` is required to control password length. 1. Set the `password-length` in the `ConfigMap`. @@ -162,14 +162,14 @@ data: enable-leader-election: true elasticsearch-observation-interval: 10s ubi-only: false - password-legnth: 64 + password-length: 64 EOF ``` -2. Restart the ECK operator +2. Ensure that the ECK operator reloads it's configuration ```shell -kubectl delete pod -n elastic-system elastic-operator-0 +kubectl logs -n elastic-system elastic-operator-0 --since=1m ``` This will cause any new file-based passwords that are generated to be a length of 64. From 4c876a07ff4295dc3f191b5abd501c8485ed1956 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Mon, 6 Oct 2025 08:43:39 -0500 Subject: [PATCH 03/16] Add back removed line Signed-off-by: Michael Montgomery --- .../cluster-or-deployment-auth/managed-credentials-eck.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index 5acc4fd5ec..49b4b67015 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -98,6 +98,8 @@ For more information, refer to [External authentication](/deploy-manage/users-ro ECK facilitates file-based role management through Kubernetes secrets containing the roles specification. Alternatively, you can use the Role management API or the Role management UI in {{kib}}. +Refer to [Managing custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#managing-custom-roles) for details and ECK based examples. + ## Controlling the length of ECK-generated passwords ```{applies_to} From 766a792d2dc4b5a86ab397a5de628deefd72969f Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Mon, 6 Oct 2025 08:50:42 -0500 Subject: [PATCH 04/16] Review changes. Signed-off-by: Michael Montgomery --- .../deploy/cloud-on-k8s/configure-eck.md | 1 + .../managed-credentials-eck.md | 54 ++----------------- 2 files changed, 5 insertions(+), 50 deletions(-) diff --git a/deploy-manage/deploy/cloud-on-k8s/configure-eck.md b/deploy-manage/deploy/cloud-on-k8s/configure-eck.md index 455b74c70c..c6a41939d1 100644 --- a/deploy-manage/deploy/cloud-on-k8s/configure-eck.md +++ b/deploy-manage/deploy/cloud-on-k8s/configure-eck.md @@ -97,6 +97,7 @@ data: enable-leader-election: true elasticsearch-observation-interval: 10s ubi-only: false + password-length: 24 ``` Alternatively, you can edit the `elastic-operator` StatefulSet and add flags to the `args` section of the operator container — which will trigger an automatic restart of the operator pod by the StatefulSet controller. diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index 49b4b67015..799f191bfc 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -116,63 +116,17 @@ In {{eck}} 3.1 and earlier all file-based passwords are 24 characters long. If you installed {{eck}} through the Helm chart commands listed in [](../../deploy/cloud-on-k8s/install-using-helm-chart.md), you can set `config.policies.passwords.length` to control the length of generated file-based passwords. -For example: -```shell -helm upgrade -i eck-operator -n elastic-system --set=config.policies.passwords.length=64 -``` - -This will cause any new file-based passwords that are generated to be a length of 64. +Refer to the [operator configuration docs](/deploy-manage/deploy/cloud-on-k8s/configure-eck#using-the-operator-helm-chart) for details concerning Helm values management. ::: {note} This will not cause existing passwords to be changed. To change existing password refer to [Rotating credentials](k8s-rotate-credentials) ::: -### Using the operator manifests +### Controlling the length of passwords using the operator manifests -If you installed ECK through using the manifests using the commands listed in [](../../deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), a manual update to the `ConfigMap` is required to control password length. +If you installed ECK through using the manifests using the commands listed in [](../../deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), you can set `password-length` in the `elastic-operator` `ConfigMap` to control the length of generated file-based passwords. -1. Set the `password-length` in the `ConfigMap`. - -```yaml -cat < Date: Mon, 6 Oct 2025 08:53:35 -0500 Subject: [PATCH 05/16] adjust pathing. Signed-off-by: Michael Montgomery --- .../cluster-or-deployment-auth/managed-credentials-eck.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index 799f191bfc..04d3c3fa37 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -114,7 +114,7 @@ In {{eck}} 3.1 and earlier all file-based passwords are 24 characters long. ### Controlling the length of passwords in Helm installations -If you installed {{eck}} through the Helm chart commands listed in [](../../deploy/cloud-on-k8s/install-using-helm-chart.md), you can set `config.policies.passwords.length` to control the length of generated file-based passwords. +If you installed {{eck}} through the Helm chart commands listed in [](/deploy-manage/deploy/cloud-on-k8s/install-using-helm-chart.md), you can set `config.policies.passwords.length` to control the length of generated file-based passwords. Refer to the [operator configuration docs](/deploy-manage/deploy/cloud-on-k8s/configure-eck#using-the-operator-helm-chart) for details concerning Helm values management. @@ -124,7 +124,7 @@ This will not cause existing passwords to be changed. To change existing passwor ### Controlling the length of passwords using the operator manifests -If you installed ECK through using the manifests using the commands listed in [](../../deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), you can set `password-length` in the `elastic-operator` `ConfigMap` to control the length of generated file-based passwords. +If you installed ECK through using the manifests using the commands listed in [](/deploy-manage/deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), you can set `password-length` in the `elastic-operator` `ConfigMap` to control the length of generated file-based passwords. Refer to the [operator configuration docs](/deploy-manage/deploy/cloud-on-k8s/configure-eck#using-the-operator-yaml-manifests) for details concerning manifest management. From 1e7609603ffa942cf2b7a6b0f56af07d81b5d61b Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Mon, 6 Oct 2025 09:18:17 -0500 Subject: [PATCH 06/16] Try different pathing style. Signed-off-by: Michael Montgomery --- .../managed-credentials-eck.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index 04d3c3fa37..db1500bf23 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -114,22 +114,22 @@ In {{eck}} 3.1 and earlier all file-based passwords are 24 characters long. ### Controlling the length of passwords in Helm installations -If you installed {{eck}} through the Helm chart commands listed in [](/deploy-manage/deploy/cloud-on-k8s/install-using-helm-chart.md), you can set `config.policies.passwords.length` to control the length of generated file-based passwords. +If you installed {{eck}} through the Helm chart commands listed in [](../deploy/cloud-on-k8s/install-using-helm-chart.md), you can set `config.policies.passwords.length` to control the length of generated file-based passwords. -Refer to the [operator configuration docs](/deploy-manage/deploy/cloud-on-k8s/configure-eck#using-the-operator-helm-chart) for details concerning Helm values management. +Refer to the [operator configuration docs](../deploy/cloud-on-k8s/configure-eck#using-the-operator-helm-chart) for details concerning Helm values management. ::: {note} -This will not cause existing passwords to be changed. To change existing password refer to [Rotating credentials](k8s-rotate-credentials) +This will not cause existing passwords to be changed. To change existing password refer to [Rotating credentials](#k8s-rotate-credentials) ::: ### Controlling the length of passwords using the operator manifests -If you installed ECK through using the manifests using the commands listed in [](/deploy-manage/deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), you can set `password-length` in the `elastic-operator` `ConfigMap` to control the length of generated file-based passwords. +If you installed ECK through using the manifests using the commands listed in [](../deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), you can set `password-length` in the `elastic-operator` `ConfigMap` to control the length of generated file-based passwords. -Refer to the [operator configuration docs](/deploy-manage/deploy/cloud-on-k8s/configure-eck#using-the-operator-yaml-manifests) for details concerning manifest management. +Refer to the [operator configuration docs](../deploy/cloud-on-k8s/configure-eck#using-the-operator-yaml-manifests) for details concerning manifest management. This will cause any new file-based passwords that are generated to be a length of 64. ::: {note} -This will not cause existing passwords to be changed. To change existing password refer to [Rotating credentials](k8s-rotate-credentials) +This will not cause existing passwords to be changed. To change existing password refer to [Rotating credentials](#k8s-rotate-credentials) ::: From ebf786e671f0a0a92cd33e7334b7dc793ef0a5d0 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Mon, 6 Oct 2025 09:22:28 -0500 Subject: [PATCH 07/16] Adjust paths again. Signed-off-by: Michael Montgomery --- .../cluster-or-deployment-auth/managed-credentials-eck.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index db1500bf23..a93d923862 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -114,9 +114,9 @@ In {{eck}} 3.1 and earlier all file-based passwords are 24 characters long. ### Controlling the length of passwords in Helm installations -If you installed {{eck}} through the Helm chart commands listed in [](../deploy/cloud-on-k8s/install-using-helm-chart.md), you can set `config.policies.passwords.length` to control the length of generated file-based passwords. +If you installed {{eck}} through the Helm chart commands listed in [](../../deploy/cloud-on-k8s/install-using-helm-chart.md), you can set `config.policies.passwords.length` to control the length of generated file-based passwords. -Refer to the [operator configuration docs](../deploy/cloud-on-k8s/configure-eck#using-the-operator-helm-chart) for details concerning Helm values management. +Refer to the [operator configuration docs](../../deploy/cloud-on-k8s/configure-eck#using-the-operator-helm-chart) for details concerning Helm values management. ::: {note} This will not cause existing passwords to be changed. To change existing password refer to [Rotating credentials](#k8s-rotate-credentials) @@ -124,9 +124,9 @@ This will not cause existing passwords to be changed. To change existing passwor ### Controlling the length of passwords using the operator manifests -If you installed ECK through using the manifests using the commands listed in [](../deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), you can set `password-length` in the `elastic-operator` `ConfigMap` to control the length of generated file-based passwords. +If you installed ECK through using the manifests using the commands listed in [](../../deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), you can set `password-length` in the `elastic-operator` `ConfigMap` to control the length of generated file-based passwords. -Refer to the [operator configuration docs](../deploy/cloud-on-k8s/configure-eck#using-the-operator-yaml-manifests) for details concerning manifest management. +Refer to the [operator configuration docs](../../deploy/cloud-on-k8s/configure-eck#using-the-operator-yaml-manifests) for details concerning manifest management. This will cause any new file-based passwords that are generated to be a length of 64. From ed2dc706253272d4385144b4349a66223c65568a Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Mon, 6 Oct 2025 09:29:20 -0500 Subject: [PATCH 08/16] Add .md extension Signed-off-by: Michael Montgomery --- .../cluster-or-deployment-auth/managed-credentials-eck.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index a93d923862..e6c1f2cf65 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -116,7 +116,7 @@ In {{eck}} 3.1 and earlier all file-based passwords are 24 characters long. If you installed {{eck}} through the Helm chart commands listed in [](../../deploy/cloud-on-k8s/install-using-helm-chart.md), you can set `config.policies.passwords.length` to control the length of generated file-based passwords. -Refer to the [operator configuration docs](../../deploy/cloud-on-k8s/configure-eck#using-the-operator-helm-chart) for details concerning Helm values management. +Refer to the [operator configuration docs](../../deploy/cloud-on-k8s/configure-eck.md#using-the-operator-helm-chart) for details concerning Helm values management. ::: {note} This will not cause existing passwords to be changed. To change existing password refer to [Rotating credentials](#k8s-rotate-credentials) @@ -126,7 +126,7 @@ This will not cause existing passwords to be changed. To change existing passwor If you installed ECK through using the manifests using the commands listed in [](../../deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), you can set `password-length` in the `elastic-operator` `ConfigMap` to control the length of generated file-based passwords. -Refer to the [operator configuration docs](../../deploy/cloud-on-k8s/configure-eck#using-the-operator-yaml-manifests) for details concerning manifest management. +Refer to the [operator configuration docs](../../deploy/cloud-on-k8s/configure-eck.md#using-the-operator-yaml-manifests) for details concerning manifest management. This will cause any new file-based passwords that are generated to be a length of 64. From 3a39b08501c2c916bf613542b84debc6292342bd Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Mon, 6 Oct 2025 09:35:50 -0500 Subject: [PATCH 09/16] remove unneeded line Signed-off-by: Michael Montgomery --- .../cluster-or-deployment-auth/managed-credentials-eck.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index e6c1f2cf65..b1fd8f1261 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -128,8 +128,6 @@ If you installed ECK through using the manifests using the commands listed in [] Refer to the [operator configuration docs](../../deploy/cloud-on-k8s/configure-eck.md#using-the-operator-yaml-manifests) for details concerning manifest management. -This will cause any new file-based passwords that are generated to be a length of 64. - ::: {note} This will not cause existing passwords to be changed. To change existing password refer to [Rotating credentials](#k8s-rotate-credentials) ::: From 04f2f258e8ad44004dd8e17c2cc5f1c2497bf4b2 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Mon, 6 Oct 2025 11:31:43 -0500 Subject: [PATCH 10/16] review updates. Signed-off-by: Michael Montgomery --- .../managed-credentials-eck.md | 28 ++++--------------- 1 file changed, 6 insertions(+), 22 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index b1fd8f1261..c0e617330a 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -102,32 +102,16 @@ Refer to [Managing custom roles](/deploy-manage/users-roles/cluster-or-deploymen ## Controlling the length of ECK-generated passwords +:::{note} +The ability to control the length of passwords for [file-based credentials](/deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md) generated by {{eck}} requires an Enterprise license. +::: + ```{applies_to} eck: ga 3.2 ``` -With an enterprise license users can control the password length of the file-based passwords generated by {{eck}}. +You can control the length of generated file-based passwords in {{eck}} installations by setting either `config.policies.passwords.length` in your Helm chart values or `password-length` in the `elastic-operator` `ConfigMap` when installing with YAML manifests. Refer to the [operator configuration documentation](../../deploy/cloud-on-k8s/configure-eck.md) for details on managing these settings. :::{note} -In {{eck}} 3.1 and earlier all file-based passwords are 24 characters long. -::: - -### Controlling the length of passwords in Helm installations - -If you installed {{eck}} through the Helm chart commands listed in [](../../deploy/cloud-on-k8s/install-using-helm-chart.md), you can set `config.policies.passwords.length` to control the length of generated file-based passwords. - -Refer to the [operator configuration docs](../../deploy/cloud-on-k8s/configure-eck.md#using-the-operator-helm-chart) for details concerning Helm values management. - -::: {note} -This will not cause existing passwords to be changed. To change existing password refer to [Rotating credentials](#k8s-rotate-credentials) -::: - -### Controlling the length of passwords using the operator manifests - -If you installed ECK through using the manifests using the commands listed in [](../../deploy/cloud-on-k8s/install-using-yaml-manifest-quickstart.md), you can set `password-length` in the `elastic-operator` `ConfigMap` to control the length of generated file-based passwords. - -Refer to the [operator configuration docs](../../deploy/cloud-on-k8s/configure-eck.md#using-the-operator-yaml-manifests) for details concerning manifest management. - -::: {note} -This will not cause existing passwords to be changed. To change existing password refer to [Rotating credentials](#k8s-rotate-credentials) +Changing these values does not update existing passwords. To rotate current credentials, refer to the [rotating credentials documentation](#k8s-rotate-credentials) ::: From b6a2315fa2dd08e8dd2840709815037c18fb3bbc Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Mon, 6 Oct 2025 13:22:12 -0500 Subject: [PATCH 11/16] Move applies_to Signed-off-by: Michael Montgomery --- .../cluster-or-deployment-auth/managed-credentials-eck.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index c0e617330a..3e39399571 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -101,15 +101,14 @@ ECK facilitates file-based role management through Kubernetes secrets containing Refer to [Managing custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#managing-custom-roles) for details and ECK based examples. ## Controlling the length of ECK-generated passwords - -:::{note} -The ability to control the length of passwords for [file-based credentials](/deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md) generated by {{eck}} requires an Enterprise license. ::: - ```{applies_to} eck: ga 3.2 ``` +:::{note} +The ability to control the length of passwords for [file-based credentials](/deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md) generated by {{eck}} requires an Enterprise license. + You can control the length of generated file-based passwords in {{eck}} installations by setting either `config.policies.passwords.length` in your Helm chart values or `password-length` in the `elastic-operator` `ConfigMap` when installing with YAML manifests. Refer to the [operator configuration documentation](../../deploy/cloud-on-k8s/configure-eck.md) for details on managing these settings. :::{note} From bc2d0f08f1fe71874d24911c55d53a3d3511286b Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Tue, 7 Oct 2025 09:30:13 -0500 Subject: [PATCH 12/16] Add missing end-note Signed-off-by: Michael Montgomery --- .../cluster-or-deployment-auth/managed-credentials-eck.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index 3e39399571..1ba10186b6 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -101,13 +101,13 @@ ECK facilitates file-based role management through Kubernetes secrets containing Refer to [Managing custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#managing-custom-roles) for details and ECK based examples. ## Controlling the length of ECK-generated passwords -::: ```{applies_to} eck: ga 3.2 ``` :::{note} The ability to control the length of passwords for [file-based credentials](/deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md) generated by {{eck}} requires an Enterprise license. +::: You can control the length of generated file-based passwords in {{eck}} installations by setting either `config.policies.passwords.length` in your Helm chart values or `password-length` in the `elastic-operator` `ConfigMap` when installing with YAML manifests. Refer to the [operator configuration documentation](../../deploy/cloud-on-k8s/configure-eck.md) for details on managing these settings. From 8c65d1584ae9d307edfc104c08b984977e6ccbca Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Tue, 7 Oct 2025 10:12:18 -0500 Subject: [PATCH 13/16] Create new section for auto-generated passwords Signed-off-by: Michael Montgomery --- .../managed-credentials-eck.md | 34 ++++++++++--------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index 1ba10186b6..51dae8bd63 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -50,7 +50,11 @@ spec: count: 1 ``` -## Rotate auto-generated credentials [k8s-rotate-credentials] +## ECK auto-generated credentials + +{{eck}} auto-generates credentials for the `elastic` user and other users. These credentials are stored in Kubernetes Secrets and are labeled with `eck.k8s.elastic.co/credentials=true`. + +### Rotating auto-generated credentials [k8s-rotate-credentials] You can force the auto-generated credentials to be regenerated with new values by deleting the appropriate Secret. For example, to change the password for the `elastic` user from the [quickstart example](/deploy-manage/deploy/cloud-on-k8s/elasticsearch-deployment-quickstart.md), use the following command: @@ -72,6 +76,19 @@ kubectl delete secret -l eck.k8s.elastic.co/credentials=true This command regenerates auto-generated credentials of **all** {{stack}} applications in the namespace. :::: +### Controlling the length of auto-generated passwords +```{applies_to} + eck: ga 2.2 +``` + +:::{note} +The ability to control the length of passwords for [file-based credentials](/deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md) generated by {{eck}} requires an Enterprise license. +::: + +You can control the length of generated file-based passwords in {{eck}} installations by setting either `config.policies.passwords.length` in your Helm chart values or `password-length` in the `elastic-operator` `ConfigMap` when installing with YAML manifests. Refer to the [operator configuration documentation](../../deploy/cloud-on-k7s/configure-eck.md) for details on managing these settings. + +Changing these values does not update existing passwords. To rotate current credentials, refer to the [rotating credentials documentation](#k7s-rotate-credentials) + ## Creating custom users {{eck}} provides functionality to facilitate custom user creation through various authentication realms. You can create users using the native realm, file realm, or external authentication methods. @@ -99,18 +116,3 @@ For more information, refer to [External authentication](/deploy-manage/users-ro ECK facilitates file-based role management through Kubernetes secrets containing the roles specification. Alternatively, you can use the Role management API or the Role management UI in {{kib}}. Refer to [Managing custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#managing-custom-roles) for details and ECK based examples. - -## Controlling the length of ECK-generated passwords -```{applies_to} - eck: ga 3.2 -``` - -:::{note} -The ability to control the length of passwords for [file-based credentials](/deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md) generated by {{eck}} requires an Enterprise license. -::: - -You can control the length of generated file-based passwords in {{eck}} installations by setting either `config.policies.passwords.length` in your Helm chart values or `password-length` in the `elastic-operator` `ConfigMap` when installing with YAML manifests. Refer to the [operator configuration documentation](../../deploy/cloud-on-k8s/configure-eck.md) for details on managing these settings. - -:::{note} -Changing these values does not update existing passwords. To rotate current credentials, refer to the [rotating credentials documentation](#k8s-rotate-credentials) -::: From 08f288ba74a7c1a7bc5aa6f1728c48811be9afa7 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Tue, 7 Oct 2025 10:15:48 -0500 Subject: [PATCH 14/16] Fix typo Signed-off-by: Michael Montgomery --- .../cluster-or-deployment-auth/managed-credentials-eck.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index 51dae8bd63..dc6577264a 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -85,7 +85,7 @@ This command regenerates auto-generated credentials of **all** {{stack}} applica The ability to control the length of passwords for [file-based credentials](/deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md) generated by {{eck}} requires an Enterprise license. ::: -You can control the length of generated file-based passwords in {{eck}} installations by setting either `config.policies.passwords.length` in your Helm chart values or `password-length` in the `elastic-operator` `ConfigMap` when installing with YAML manifests. Refer to the [operator configuration documentation](../../deploy/cloud-on-k7s/configure-eck.md) for details on managing these settings. +You can control the length of generated file-based passwords in {{eck}} installations by setting either `config.policies.passwords.length` in your Helm chart values or `password-length` in the `elastic-operator` `ConfigMap` when installing with YAML manifests. Refer to the [operator configuration documentation](../../deploy/cloud-on-k8s/configure-eck.md) for details on managing these settings. Changing these values does not update existing passwords. To rotate current credentials, refer to the [rotating credentials documentation](#k7s-rotate-credentials) From f18d288708b7d5475b34d9bc123397abf70903e3 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Tue, 7 Oct 2025 13:27:12 -0500 Subject: [PATCH 15/16] fix another typo Signed-off-by: Michael Montgomery --- .../cluster-or-deployment-auth/managed-credentials-eck.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index dc6577264a..92033d8c6e 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -87,7 +87,7 @@ The ability to control the length of passwords for [file-based credentials](/dep You can control the length of generated file-based passwords in {{eck}} installations by setting either `config.policies.passwords.length` in your Helm chart values or `password-length` in the `elastic-operator` `ConfigMap` when installing with YAML manifests. Refer to the [operator configuration documentation](../../deploy/cloud-on-k8s/configure-eck.md) for details on managing these settings. -Changing these values does not update existing passwords. To rotate current credentials, refer to the [rotating credentials documentation](#k7s-rotate-credentials) +Changing these values does not update existing passwords. To rotate current credentials, refer to the [rotating credentials documentation](#k8s-rotate-credentials) ## Creating custom users From 48435b0575664c01c6f23aec2c7ca29e192b8cf9 Mon Sep 17 00:00:00 2001 From: Michael Montgomery Date: Tue, 7 Oct 2025 15:50:08 -0500 Subject: [PATCH 16/16] Review changes Signed-off-by: Michael Montgomery --- .../managed-credentials-eck.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index 92033d8c6e..bc21c4b3b2 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -52,9 +52,9 @@ spec: ## ECK auto-generated credentials -{{eck}} auto-generates credentials for the `elastic` user and other users. These credentials are stored in Kubernetes Secrets and are labeled with `eck.k8s.elastic.co/credentials=true`. +{{eck}} auto-generates credentials for [the `elastic` user](#k8s-default-elastic-user) and other file-based users. These credentials are stored in Kubernetes Secrets and are labeled with `eck.k8s.elastic.co/credentials=true`. -### Rotating auto-generated credentials [k8s-rotate-credentials] +### Rotate auto-generated credentials [k8s-rotate-credentials] You can force the auto-generated credentials to be regenerated with new values by deleting the appropriate Secret. For example, to change the password for the `elastic` user from the [quickstart example](/deploy-manage/deploy/cloud-on-k8s/elasticsearch-deployment-quickstart.md), use the following command: @@ -76,18 +76,19 @@ kubectl delete secret -l eck.k8s.elastic.co/credentials=true This command regenerates auto-generated credentials of **all** {{stack}} applications in the namespace. :::: -### Controlling the length of auto-generated passwords +### Control the length of auto-generated passwords + ```{applies_to} - eck: ga 2.2 + eck: ga 3.2 ``` :::{note} -The ability to control the length of passwords for [file-based credentials](/deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md) generated by {{eck}} requires an Enterprise license. +The ability to control the length of passwords generated by {{eck}} requires an Enterprise license. ::: -You can control the length of generated file-based passwords in {{eck}} installations by setting either `config.policies.passwords.length` in your Helm chart values or `password-length` in the `elastic-operator` `ConfigMap` when installing with YAML manifests. Refer to the [operator configuration documentation](../../deploy/cloud-on-k8s/configure-eck.md) for details on managing these settings. +You can control the length of auto-generated passwords in {{eck}} installations by setting either `config.policies.passwords.length` in your Helm chart values or `password-length` in the `elastic-operator` `ConfigMap` when installing with YAML manifests. Refer to the [operator configuration documentation](../../deploy/cloud-on-k8s/configure-eck.md) for details on managing these settings. -Changing these values does not update existing passwords. To rotate current credentials, refer to the [rotating credentials documentation](#k8s-rotate-credentials) +Changing these values does not update existing passwords. To rotate current credentials, refer to the [Rotate auto-generated credentials](#k8s-rotate-credentials) ## Creating custom users