diff --git a/deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-private.md b/deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-private.md index cb69f1a66d..7c27936335 100644 --- a/deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-private.md +++ b/deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-private.md @@ -2,6 +2,7 @@ This snippet is in use in the following locations: - ece-remote-cluster-self-managed.md - ece-remote-cluster-other-ece.md +- ece-enable-ccs-for-eck.md It requires remote_type substitution to be defined --> @@ -10,7 +11,7 @@ It requires remote_type substitution to be defined Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters. -3. Access the **Security** page of the deployment. +3. From the navigation menu, select **Security**. 4. Select **Remote Connections > Add trusted environment** and choose **{{remote_type}}**. Then click **Next**. 5. Select **API keys** as authentication mechanism and click **Next**. 6. When asked whether the Certificate Authority (CA) of the remote environment’s proxy or load-balancing infrastructure is public, select **No, it is private**. @@ -21,13 +22,13 @@ It requires remote_type substitution to be defined * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores. * For the **Cross-cluster API key**, paste the encoded cross-cluster API key. - 2. Click **Add** to save the API key to the keystore. + 2. Click **Add** to save the API key. 3. Repeat these steps for each API key you want to add. For example, if you want to use several clusters of the remote environment for CCR or CCS. 8. Add the CA certificate of the remote environment. 9. Provide a name for the trusted environment. That name will appear in the trust summary of your deployment's **Security** page. 10. Select **Create trust** to complete the configuration. -11. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**. +11. Restart the local deployment to reload the new settings. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**. ::::{note} If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys. diff --git a/deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-public.md b/deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-public.md index c90dce8320..4ffc88b42c 100644 --- a/deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-public.md +++ b/deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-public.md @@ -4,23 +4,24 @@ This snippet is in use in the following locations: - ece-remote-cluster-same-ece.md - ece-remote-cluster-other-ece.md - ece-remote-cluster-ece-ess.md +- ece-enable-ccs-for-eck.md --> 1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md). 2. On the **Deployments** page, select your deployment. Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters. -3. From the deployment menu, select **Security**. +3. From the navigation menu, select **Security**. 4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**. 1. Fill both fields. - * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores. + * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores. * For the **Cross-cluster API key**, paste the encoded cross-cluster API key. - 2. Click **Add** to save the API key to the keystore. + 2. Click **Add** to save the API key. -5. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page (named after your deployment's name), locate the **Actions** menu, and select **Restart {{es}}**. +5. Restart the local deployment to reload the new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**. ::::{note} If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys. diff --git a/deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-private.md b/deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-private.md index b99d1b1b5d..9fdad7d076 100644 --- a/deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-private.md +++ b/deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-private.md @@ -2,6 +2,7 @@ This snippet is in use in the following locations: - ec-remote-cluster-self-managed.md - ec-remote-cluster-ece.md +- ec-enable-ccs-for-eck.md It requires remote_type substitution to be defined --> @@ -21,13 +22,13 @@ It requires remote_type substitution to be defined * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores. * For the **Cross-cluster API key**, paste the encoded cross-cluster API key. - 2. Click **Add** to save the API key to the keystore. + 2. Click **Add** to save the API key. 3. Repeat these steps for each API key you want to add. For example, if you want to use several clusters of the remote environment for CCR or CCS. 8. Add the CA certificate of the remote environment. 9. Provide a name for the trusted environment. That name will appear in the trust summary of your deployment's **Security** page. 10. Select **Create trust** to complete the configuration. -11. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**. +11. Restart the local deployment to reload the new settings. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**. ::::{note} If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys. diff --git a/deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-public.md b/deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-public.md index b18e85989d..eb8a7d349b 100644 --- a/deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-public.md +++ b/deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-public.md @@ -4,6 +4,8 @@ This snippet is in use in the following locations: - ec-remote-cluster-same-ess.md - ec-remote-cluster-other-ess.md - ec-remote-cluster-ece.md +- ec-enable-ccs-for-eck.md + --> 1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body). 2. On the home page, find your hosted deployment and select **Manage** to access it directly. Or, select **Hosted deployments** to go to the **Hosted deployments** page to view all of your deployments. @@ -15,12 +17,12 @@ This snippet is in use in the following locations: 1. Fill both fields. - * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores. + * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores. * For the **Cross-cluster API key**, paste the encoded cross-cluster API key. 2. Click **Add** to save the API key. -5. Restart the local deployment to reload the new setting. To do that, go to the deployment's main page (named after your deployment's name), locate the **Actions** menu, and select **Restart {{es}}**. +5. Restart the local deployment to reload the new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**. ::::{note} If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys. diff --git a/deploy-manage/remote-clusters/_snippets/eck_expose_transport.md b/deploy-manage/remote-clusters/_snippets/eck_expose_transport.md new file mode 100644 index 0000000000..a3308a1de4 --- /dev/null +++ b/deploy-manage/remote-clusters/_snippets/eck_expose_transport.md @@ -0,0 +1,15 @@ +Expose the transport service (defaults to port `9300`) of your ECK cluster to allow external {{es}} clusters to connect: + +```yaml +apiVersion: elasticsearch.k8s.elastic.co/v1 +kind: Elasticsearch +metadata: + name: +spec: + transport: + service: + spec: + type: LoadBalancer <1> +``` + +1. On cloud providers which support external load balancers, setting the type field to `LoadBalancer` provisions a load balancer for your service. Alternatively, expose the service `-es-transport` through one of the Kubernetes Ingress controllers that support TCP services. diff --git a/deploy-manage/remote-clusters/_snippets/eck_rcs_connect_intro.md b/deploy-manage/remote-clusters/_snippets/eck_rcs_connect_intro.md new file mode 100644 index 0000000000..ffb9cba4b8 --- /dev/null +++ b/deploy-manage/remote-clusters/_snippets/eck_rcs_connect_intro.md @@ -0,0 +1,5 @@ +On the local deployment, add the remote ECK cluster using {{kib}} or the {{es}} API with the following connection settings: + +* **Remote address**: Use the FQDN or IP address of the LoadBalancer service, or similar resource, you created to expose the remote cluster server interface (for API key-based authentication) or the transport interface (for TLS certificate-based authentication). + +* **TLS server name**: You can try leaving this field empty first. If the connection fails, and your environment is presenting the ECK-managed certificates during the TLS handshake, use `-es-remote-cluster..svc` as the server name. For example, for a cluster named `quickstart` in the `default` namespace, use `quickstart-es-remote-cluster.default.svc`. diff --git a/deploy-manage/remote-clusters/_snippets/eck_rcs_enable.md b/deploy-manage/remote-clusters/_snippets/eck_rcs_enable.md new file mode 100644 index 0000000000..d92280a68d --- /dev/null +++ b/deploy-manage/remote-clusters/_snippets/eck_rcs_enable.md @@ -0,0 +1,23 @@ +By default, the remote cluster server interface is deactivated on ECK-managed clusters. To use the API key–based security model for cross-cluster connections, you must first enable it on the remote {{es}} cluster: + +```yaml subs=true +apiVersion: elasticsearch.k8s.elastic.co/v1 +kind: Elasticsearch +metadata: + name: + namespace: +spec: + version: {{version.stack}} + remoteClusterServer: + enabled: true + nodeSets: + - name: default + count: 3 + ... + ... +``` + +::::{note} +Enabling the remote cluster server triggers a restart of the {{es}} cluster. +:::: + diff --git a/deploy-manage/remote-clusters/_snippets/eck_rcs_expose.md b/deploy-manage/remote-clusters/_snippets/eck_rcs_expose.md new file mode 100644 index 0000000000..5b4da6dc2d --- /dev/null +++ b/deploy-manage/remote-clusters/_snippets/eck_rcs_expose.md @@ -0,0 +1,52 @@ +When the remote cluster server is enabled, ECK automatically creates a Kubernetes service named `-es-remote-cluster` that exposes the server internally on port `9443`. + +To allow clusters running outside your Kubernetes environment to connect to this {{es}} cluster, you must expose this service externally. The way to expose this service depends on your ECK version. + +:::::{applies-switch} + +::::{applies-item} eck: ga 3.3 +You can customize how the remote cluster service is exposed by overriding its service specification directly under `spec.remoteClusterServer.service` in the {{es}} resource. By default, this service listens on port 9443. + +```yaml +apiVersion: elasticsearch.k8s.elastic.co/v1 +kind: Elasticsearch +metadata: + name: + namespace: +spec: + version: 9.2.1 + remoteClusterServer: + enabled: true + service: + spec: + type: LoadBalancer <1> + nodeSets: + - name: default + count: 3 + ... + ... +``` +1. On cloud providers that support external load balancers, setting the type to `LoadBalancer` provisions a load balancer for your service. Alternatively, expose the service `-es-remote-cluster` through one of the Kubernetes Ingress controllers that support TCP services. +:::: + +::::{applies-item} eck: ga 3.0 + +In ECK 3.2 and earlier, you can't customize the service that ECK generates for the remote cluster interface, but you can create your own `LoadBalancer` service, `Ingress` object, or use another method available in your environment. + +For example, for a cluster named `quickstart`, the following command creates a separate `LoadBalancer` service named `quickstart-es-remote-cluster-lb`, pointing to the ECK-managed service `quickstart-es-remote-cluster`: + +```sh +kubectl expose service quickstart-es-remote-cluster \ + --name=quickstart-es-remote-cluster-lb \ + --type=LoadBalancer \ <1> + --port=9443 --target-port=9443 +``` +1. On cloud providers that support external load balancers, setting the type to `LoadBalancer` provisions a load balancer for your service. Alternatively, expose the service `-es-remote-cluster` through one of the Kubernetes Ingress controllers that support TCP services. + +:::: +::::: + +:::{warning} +If you change the service’s `port`, set `targetPort` explicitly to `9443`, which is the default remote cluster server listening port. Otherwise, Kubernetes uses the same value for both fields, resulting in failed connections. +::: + diff --git a/deploy-manage/remote-clusters/_snippets/eck_rcs_retrieve_ca.md b/deploy-manage/remote-clusters/_snippets/eck_rcs_retrieve_ca.md new file mode 100644 index 0000000000..81a6a4adfd --- /dev/null +++ b/deploy-manage/remote-clusters/_snippets/eck_rcs_retrieve_ca.md @@ -0,0 +1,17 @@ +The certificate authority (CA) used by ECK to issue certificates for the remote cluster server interface is stored in the `ca.crt` key of the secret named `-es-transport-certs-public`. + +If the external connections reach the {{es}} Pods on port `9443` without any intermediate TLS termination, you need to retrieve this CA because it is required in the local cluster configuration to establish trust. + +If TLS is terminated by any intermediate component and the certificate presented is not the ECK-managed one, use the CA associated with that component, or omit the CA entirely if it uses a publicly trusted certificate. + +To save the transport CA certificate of a cluster named `quickstart` into a local file, run the following command: + +```sh +kubectl get secret quickstart-es-transport-certs-public \ +-o go-template='{{index .data "ca.crt" | base64decode}}' > eck_transport_ca.crt +``` + +::::{important} +ECK-managed CA certificates are automatically rotated after one year by default, but you can [configure](/deploy-manage/deploy/cloud-on-k8s/configure-eck.md) a different validity period. When the CA certificate is rotated, ensure that this CA is updated in all environments where it's used to preserve trust. +:::: + diff --git a/deploy-manage/remote-clusters/_snippets/rcs-elasticsearch-api-snippet-self.md b/deploy-manage/remote-clusters/_snippets/rcs-elasticsearch-api-snippet-self.md index 7aa6cd014e..1060e90113 100644 --- a/deploy-manage/remote-clusters/_snippets/rcs-elasticsearch-api-snippet-self.md +++ b/deploy-manage/remote-clusters/_snippets/rcs-elasticsearch-api-snippet-self.md @@ -2,6 +2,8 @@ This snippet is in use in the following locations: - ece-remote-cluster-self-managed.md - ec-remote-cluster-self-managed.md +- ece-enable-ccs-for-eck.md +- ec-enable-ccs-for-eck.md --> To add a remote cluster, use the [cluster update settings API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-cluster-put-settings). Configure the following fields: diff --git a/deploy-manage/remote-clusters/_snippets/rcs-kibana-api-snippet-self.md b/deploy-manage/remote-clusters/_snippets/rcs-kibana-api-snippet-self.md index 46c102530d..25f580826c 100644 --- a/deploy-manage/remote-clusters/_snippets/rcs-kibana-api-snippet-self.md +++ b/deploy-manage/remote-clusters/_snippets/rcs-kibana-api-snippet-self.md @@ -2,6 +2,8 @@ This snippet is in use in the following locations: - ece-remote-cluster-self-managed.md - ec-remote-cluster-self-managed.md +- ece-enable-ccs-for-eck.md +- ec-enable-ccs-for-eck.md --> 1. Go to the **Remote Clusters** management page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). 2. Select **Add a remote cluster**. diff --git a/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md b/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md index 588d5b3ca2..55e2d4efbb 100644 --- a/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md +++ b/deploy-manage/remote-clusters/ec-enable-ccs-for-eck.md @@ -8,20 +8,87 @@ applies_to: eck: ga products: - id: cloud-hosted +sub: + remote_type: Self-managed --- # Connect {{ech}} deployments to {{eck}} clusters [ec-enable-ccs-for-eck] These steps describe how to configure remote clusters between an {{es}} cluster in {{ech}} (ECH) and an {{es}} cluster running within [{{eck}} (ECK)](/deploy-manage/deploy/cloud-on-k8s.md). Once that’s done, you’ll be able to [run CCS queries from {{es}}](/solutions/search/cross-cluster-search.md) or [set up CCR](/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md). +:::{include} _snippets/terminology.md +::: -## Establish trust between the two clusters [ec_establish_trust_between_two_clusters] -The first step is to establish trust between the two clusters, by adding the CA certificate and trust details of each environment into the other. +## Allow the remote connection [ec_allow_the_remote_connection_4] -This guide uses TLS certificates to secure remote cluster connections and follows a similar approach to [Access clusters of a self-managed environment](ec-remote-cluster-self-managed.md). +:::{include} _snippets/allow-connection-intro.md +::: -### Establish trust in the ECH cluster [ec_establish_trust_in_the_elasticsearch_service_cluster] +:::::::{tab-set} + +::::::{tab-item} API key + +:::{include} _snippets/apikeys-intro.md +::: + +### Prerequisites and limitations [ec_prerequisites_and_limitations_4] + +:::{include} _snippets/apikeys-prerequisites-limitations.md +::: + +### Enable the remote cluster server interface on the remote ECK cluster + +:::{include} _snippets/eck_rcs_enable.md +::: + +### Configure external access to the remote cluster server interface + +:::{include} _snippets/eck_rcs_expose.md +::: + + +### Retrieve the ECK-managed CA certificate of the remote cluster server [fetch-ca-cert] + +:::{include} _snippets/eck_rcs_retrieve_ca.md +::: + +### Create a cross-cluster API key on the remote cluster [ec_create_a_cross_cluster_api_key_on_the_remote_deployment_4] + +:::{include} _snippets/apikeys-create-key.md +::: + + +### Configure the local deployment [ec_configure_the_local_deployment_2] + +:::{include} _snippets/apikeys-local-config-intro.md +::: + +The steps to follow depend on whether the certificate authority (CA) presented by the remote cluster server, proxy, or load-balancing infrastructure is publicly trusted or private. + +::::{dropdown} The CA is public + +:::{include} _snippets/apikeys-local-ech-remote-public.md +::: + +:::: + +::::{dropdown} The CA is private (ECK-managed transport certificates) + +When adding the CA certificate in the next steps, use either the ECK-managed transport CA obtained [previously](#fetch-ca-cert), or the CA of the component that terminates TLS connections to clients. + +:::{include} _snippets/apikeys-local-ech-remote-private.md +::: +:::: + +:::::: + +::::::{tab-item} TLS certificate (deprecated) +### Establish mutual trust between the clusters [ec_establish_trust_between_two_clusters] + +When using TLS certificates-based authentication, the first step is to establish trust between the two clusters, by adding the CA certificate and trust details of each environment into the other. + +#### Establish trust in the ECH cluster [ec_establish_trust_in_the_elasticsearch_service_cluster] To configure trust in the ECH deployment: @@ -52,7 +119,7 @@ To configure trust in the ECH deployment: 7. On the confirmation screen, when prompted **Have you already set up trust from the other environment?**, select **No, I have NOT set up trust from the other environment yet**. Download both the ECH deployment CA certificate and the `trust.yml` file. These files can also be retrieved from the **Security** page of the deployment. You’ll use these files to configure trust in the ECK deployment. -### Update the downloaded `trust.yml` file for ECK compatibility +#### Update the downloaded `trust.yml` file for ECK compatibility The `trust.yml` file you downloaded from the Cloud UI includes a subject name pattern that isn't valid for your ECK cluster. Before using it in your ECK cluster, you need to update the file with the pattern that matches your cluster. @@ -92,8 +159,7 @@ trust.subject_name: Apply the changes and save the `trust.yml` file. - -### Establish trust in the ECK cluster [ec_establish_trust_in_the_eck_cluster] +#### Establish trust in the ECK cluster [ec_establish_trust_in_the_eck_cluster] To configure trust in the ECK deployment: @@ -142,14 +208,30 @@ To configure trust in the ECK deployment: 1. Ensure `secretName` matches the name of the Secret you created earlier. 2. Ensure `name` matches the name of the ConfigMap you created earlier. -## Set up CCS/R [ec_setup_ccsr] +### Configure external access to the transport interface of your ECK cluster + +:::{include} _snippets/eck_expose_transport.md +::: + +:::::: +::::::: + +## Connect to the remote cluster [ec_connect_to_the_remote_cluster_4] + +:::{include} _snippets/eck_rcs_connect_intro.md +::: + +### Using {{kib}} [ec_using_kibana_4] -Now that trust has been established, you can set up CCS/R from the ECK cluster to the ECH cluster or from the ECH cluster to the ECK cluster. +:::{include} _snippets/rcs-kibana-api-snippet-self.md +::: -### ECK Cluster to {{ech}} cluster [ec_eck_cluster_to_elasticsearch_service_cluster] +### Using the {{es}} API [ec_using_the_elasticsearch_api_4] -Configure the ECH deployment as a remote on your ECK cluster following [](ec-remote-cluster-self-managed.md#ec_connect_to_the_remote_cluster_4) steps. +:::{include} _snippets/rcs-elasticsearch-api-snippet-self.md +::: -### {{ech}} cluster to ECK Cluster [ec_elasticsearch_service_cluster_to_eck_cluster] +## Configure roles and users [ec_configure_roles_and_users_4] -Follow the steps outlined in the [ECK documentation](/deploy-manage/remote-clusters/eck-remote-clusters.md#k8s_configure_the_remote_cluster_connection_through_the_elasticsearch_rest_api) to expose the transport layer of your ECK cluster, and configure the ECK cluster as a remote of your ECH deployment. +:::{include} _snippets/configure-roles-and-users.md +::: diff --git a/deploy-manage/remote-clusters/ece-enable-ccs-for-eck.md b/deploy-manage/remote-clusters/ece-enable-ccs-for-eck.md index 359957486c..c94416be73 100644 --- a/deploy-manage/remote-clusters/ece-enable-ccs-for-eck.md +++ b/deploy-manage/remote-clusters/ece-enable-ccs-for-eck.md @@ -8,19 +8,87 @@ applies_to: eck: ga products: - id: cloud-enterprise +sub: + remote_type: Self-managed --- # Connect {{ece}} deployments to {{eck}} clusters [ece-enable-ccs-for-eck] -These steps describe how to configure remote clusters between an {{es}} cluster in {{ece}} and an {{es}} cluster running within [{{eck}} (ECK)](/deploy-manage/deploy/cloud-on-k8s.md). Once that’s done, you’ll be able to [run CCS queries from {{es}}](/solutions/search/cross-cluster-search.md) or [set up CCR](/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md). +These steps describe how to configure remote clusters between an {{es}} cluster in {{ece}} (ECE) and an {{es}} cluster running within [{{eck}} (ECK)](/deploy-manage/deploy/cloud-on-k8s.md). Once that's done, you'll be able to [run CCS queries from {{es}}](/solutions/search/cross-cluster-search.md) or [set up CCR](/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md). +:::{include} _snippets/terminology.md +::: -## Establish trust between two clusters [ece_establish_trust_between_two_clusters] -The first step is to establish trust between the two clusters. +## Allow the remote connection [ece_allow_the_remote_connection_4] +:::{include} _snippets/allow-connection-intro.md +::: -### Establish trust in the {{ece}} cluster [ece_establish_trust_in_the_elastic_cloud_enterprise_cluster] +:::::::{tab-set} + +::::::{tab-item} API key + +:::{include} _snippets/apikeys-intro.md +::: + +### Prerequisites and limitations [ece_prerequisites_and_limitations_4] + +:::{include} _snippets/apikeys-prerequisites-limitations.md +::: + +### Enable the remote cluster server interface on the remote ECK cluster + +:::{include} _snippets/eck_rcs_enable.md +::: + +### Configure external access to the remote cluster server interface + +:::{include} _snippets/eck_rcs_expose.md +::: + + +### Retrieve the ECK-managed CA certificate of the remote cluster server [fetch-ca-cert] + +:::{include} _snippets/eck_rcs_retrieve_ca.md +::: + +### Create a cross-cluster API key on the remote cluster [ece_create_a_cross_cluster_api_key_on_the_remote_deployment_4] + +:::{include} _snippets/apikeys-create-key.md +::: + + +### Configure the local deployment [ece_configure_the_local_deployment_2] + +:::{include} _snippets/apikeys-local-config-intro.md +::: + +The steps to follow depend on whether the certificate authority (CA) presented by the remote cluster server, proxy, or load-balancing infrastructure is publicly trusted or private. + +::::{dropdown} The CA is public + +:::{include} _snippets/apikeys-local-ece-remote-public.md +::: + +:::: + +::::{dropdown} The CA is private (ECK-managed transport certificates) + +When adding the CA certificate in the next steps, use either the ECK-managed transport CA obtained [previously](#fetch-ca-cert), or the CA of the component that terminates TLS connections to clients. + +:::{include} _snippets/apikeys-local-ece-remote-private.md +::: +:::: + +:::::: + +::::::{tab-item} TLS certificate (deprecated) +### Establish mutual trust between the clusters [ece_establish_trust_between_two_clusters] + +When using TLS certificates-based authentication, the first step is to establish trust between the two clusters, by adding the CA certificate and trust details of each environment into the other. + +#### Establish trust in the {{ece}} cluster [ece_establish_trust_in_the_elastic_cloud_enterprise_cluster] 1. Save the ECK CA certificate to a file. For a cluster named `quickstart`, run: @@ -37,7 +105,7 @@ The first step is to establish trust between the two clusters. 2. Select `Save` and then download the CA Certificate and `trust.yml` file. These files can also be retrieved in the `Security` page of the deployment. You will use these files in the next set of steps. -### Establish trust in the ECK cluster [ece_establish_trust_in_the_eck_cluster] +#### Establish trust in the ECK cluster [ece_establish_trust_in_the_eck_cluster] 1. Upload the {{ece}} certificate (that you downloaded in the last step of the previous section) as a Kubernetes secret. @@ -78,18 +146,30 @@ The first step is to establish trust between the two clusters. name: quickstart-trust ``` +### Configure external access to the transport interface of your ECK cluster + +:::{include} _snippets/eck_expose_transport.md +::: +:::::: +::::::: -## Set up CCS/R [ece_setup_ccsr] +## Connect to the remote cluster [ece_connect_to_the_remote_cluster_4] -Now that trust has been established, you can set up CCS/R from the ECK cluster to the {{ece}} cluster or from the {{ece}} cluster to the ECK cluster. +:::{include} _snippets/eck_rcs_connect_intro.md +::: +### Using {{kib}} [ece_using_kibana_4] -### ECK Cluster to {{ece}} cluster [ece_eck_cluster_to_elastic_cloud_enterprise_cluster] +:::{include} _snippets/rcs-kibana-api-snippet-self.md +::: -Configure the ECK cluster [using certificate based authentication](ece-remote-cluster-self-managed.md). +### Using the {{es}} API [ece_using_the_elasticsearch_api_4] +:::{include} _snippets/rcs-elasticsearch-api-snippet-self.md +::: -### {{ece}} cluster to ECK Cluster [ece_elastic_cloud_enterprise_cluster_to_eck_cluster] +## Configure roles and users [ece_configure_roles_and_users_4] -Follow the steps outlined in the [ECK documentation](/deploy-manage/remote-clusters/eck-remote-clusters.md#k8s_configure_the_remote_cluster_connection_through_the_elasticsearch_rest_api). +:::{include} _snippets/configure-roles-and-users.md +:::