=======
elastic
=======

install eck
^^^^^^^^^^^
Use the official Elastic `documentation <https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-installing-eck.html>`_
for up to date instructions.

.. code-block:: console

   ## install custom resource definitions
   kubectl create -f https://download.elastic.co/downloads/eck/2.10.0/crds.yaml

   ## install operator with rbac rules
   kubectl apply -f https://download.elastic.co/downloads/eck/2.10.0/operator.yaml
 
upgrading eck
^^^^^^^^^^^^^

I'll need to check the `docs <https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-upgrading-eck.html>`_
on upgrading eck at some point in the near future.

tls support
^^^^^^^^^^^

The elasticsearch nodes can automagically setup and use self-signed certs.
This is a great option, and it's pretty easy to get setup.

However I like to torture myself and went with using my own custom CA to
sign certs.

The tls_ page has information on the various tls options available.

.. _tls: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-tls-certificates.html#k8s-setting-up-your-own-certificate

Using `ingress` with the self-signed certs didn't work, but that's a
problem for future me.
According to the logs the ingress would try to talk http to the https
endpoints, and I haven't figured out how to force https yet.
I think it has something to do with the nginx `annotations` inside the
`ingress`, but I haven't found the right combination yet.
And really how much time do I want to put into it?

adding the cert/key
^^^^^^^^^^^^^^^^^^^

To hold the tls cert/key, create a secret:

.. code-block:: console

   kubectl create secret generic elasticlab --from-file=../ca.crt --from-file=tls.crt --from-file=tls.key

Change the `elasticlab` to the name you'll use in the elasticsearch config.
Add another secret for kibana.

get the elastic user's password
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

`elasticsearch-es-elastic-user` needs to be updated based on the name of the install.
For example, I have `name: elasticsearch` in my deployment config, so `elasticsearch-es-elastic-user`
is where the pasword is stored.

.. code-block:: console

   kubectl get secret elasticsearch-es-elastic-user -o go-template='{{.data.elastic | base64decode}}'

add a custom ca.crt to the containers
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This is from [Justin Lim's blog](https://www.gooksu.com/2022/07/mounting-certificates-cas-for-elasticsearch-pods-in-k8s-for-custom-configurations-eck/).
Adding a custom ca.crt to a container will help prevent issues when connecting to
a service using a cert/key from that CA.

.. code-block:: console

   kubectl create secret generic ca --from-file=ca.crt

Then it needs to be mounted in the elasticsearch containers by adding this to the
configuration:

.. literalinclude:: src/ca_mount.yml
   :language: yaml

As always with Ubuntu (which was a surprise to me), the added CA cert
should be a single cert.
No chains!
A cert chain will say it's being loaded, but not actually work.