elastic¶

install eck¶

Use the official Elastic documentation for up to date instructions.

## install custom resource definitions
kubectl create -f https://download.elastic.co/downloads/eck/2.10.0/crds.yaml

## install operator with rbac rules
kubectl apply -f https://download.elastic.co/downloads/eck/2.10.0/operator.yaml

upgrading eck¶

I’ll need to check the docs on upgrading eck at some point in the near future.

tls support¶

The elasticsearch nodes can automagically setup and use self-signed certs. This is a great option, and it’s pretty easy to get setup.

However I like to torture myself and went with using my own custom CA to sign certs.

The tls page has information on the various tls options available.

Using ingress with the self-signed certs didn’t work, but that’s a problem for future me. According to the logs the ingress would try to talk http to the https endpoints, and I haven’t figured out how to force https yet. I think it has something to do with the nginx annotations inside the ingress, but I haven’t found the right combination yet. And really how much time do I want to put into it?

adding the cert/key¶

To hold the tls cert/key, create a secret:

kubectl create secret generic elasticlab --from-file=../ca.crt --from-file=tls.crt --from-file=tls.key

Change the elasticlab to the name you’ll use in the elasticsearch config. Add another secret for kibana.

get the elastic user’s password¶

elasticsearch-es-elastic-user needs to be updated based on the name of the install. For example, I have name: elasticsearch in my deployment config, so elasticsearch-es-elastic-user is where the pasword is stored.

kubectl get secret elasticsearch-es-elastic-user -o go-template='{{.data.elastic | base64decode}}'

add a custom ca.crt to the containers¶

This is from [Justin Lim’s blog](https://www.gooksu.com/2022/07/mounting-certificates-cas-for-elasticsearch-pods-in-k8s-for-custom-configurations-eck/). Adding a custom ca.crt to a container will help prevent issues when connecting to a service using a cert/key from that CA.

kubectl create secret generic ca --from-file=ca.crt

Then it needs to be mounted in the elasticsearch containers by adding this to the configuration:

        containers:
        - name: elasticsearch
          volumeMounts:
          - name: ca
            mountPath: /usr/share/elasticsearch/config/certificates
            readOnly: true

As always with Ubuntu (which was a surprise to me), the added CA cert should be a single cert. No chains! A cert chain will say it’s being loaded, but not actually work.