diff --git a/deploy-manage/remote-clusters/_snippets/eck_rcs_enable.md b/deploy-manage/remote-clusters/_snippets/eck_rcs_enable.md index a2056d6c36..dccc7eca80 100644 --- a/deploy-manage/remote-clusters/_snippets/eck_rcs_enable.md +++ b/deploy-manage/remote-clusters/_snippets/eck_rcs_enable.md @@ -29,3 +29,11 @@ spec: Enabling the remote cluster server triggers a restart of the {{es}} cluster. :::: +::::{note} +If you use externally managed certificates for the transport layer, ensure that: + +* Your certificates cover the remote cluster service (`-es-remote-cluster`) and Pod FQDNs. +* Each nodeSet defines the `xpack.security.remote_cluster_server.ssl.key` and `xpack.security.remote_cluster_server.ssl.certificate` settings. + +For a complete example, refer to [Configure remote cluster server with externally managed certificates](/deploy-manage/security/k8s-transport-settings.md#rcs-third-party). +:::: diff --git a/deploy-manage/security/k8s-transport-settings.md b/deploy-manage/security/k8s-transport-settings.md index d08f5b8c3d..456024ec75 100644 --- a/deploy-manage/security/k8s-transport-settings.md +++ b/deploy-manage/security/k8s-transport-settings.md @@ -90,7 +90,7 @@ The following example configuration using [cert-manager csi-driver](https://cert apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: - name: es + name: quickstart spec: version: 8.16.1 transport: @@ -125,8 +125,7 @@ spec: 1. Disables the default certificates generated by ECK for the transport layer. 2. The example assumes that a `ClusterIssuer` by the name of `ca-cluster-issuer` exists and a PEM encoded version of the CA certificate is available in a ConfigMap (in the example named `trust`). The CA certificate must be in a file called `ca.crt` inside the ConfigMap in the same namespace as the {{es}} resource. -3. If the remote cluster server is enabled, then the DNS names must also include both:* The DNS name for the related Kubernetes `Service`: `-es-remote-cluster.${POD_NAMESPACE}.svc` -* The Pod DNS name: `${POD_NAME}.-es-.${POD_NAMESPACE}.svc` +3. If the remote cluster server is enabled, additional DNS names and nodeSet configuration are required. For details, refer to [Configure remote cluster server with externally managed certificates](#rcs-third-party). The following manifest is only provided to illustrate how these certificates can be configured in principle, using the trust-manager Bundle resource and cert-manager provisioned certificates: @@ -166,4 +165,57 @@ spec: When transitioning from a configuration that uses externally provisioned certificates back to ECK-managed self-signed transport certificates it is important to ensure that the externally provisioned CA remains configured as a trusted CA through the `.spec.transport.tls.certificateAuthorities` attribute until all nodes in the cluster have been updated to use the ECK-managed certificates. When transitioning from ECK-managed certificates to externally provisioned ones, ECK ensures automatically that the ECK CA remains configured until the transition has been completed. +### Configure remote cluster server with externally managed certificates [rcs-third-party] + +If you enable the remote cluster server interface for [Remote clusters](/deploy-manage/remote-clusters/eck-remote-clusters-landing.md) with API key-based authentication and use third-party tools to issue transport certificates, you must apply additional configuration beyond the settings shown in the previous example: + +* Extend the certificate SANs to cover the remote cluster service and Pod FQDNs: + * `-es-remote-cluster.${POD_NAMESPACE}.svc` + * `${POD_NAME}.-es-.${POD_NAMESPACE}.svc` +* Configure the `xpack.security.remote_cluster_server.ssl.key` and `xpack.security.remote_cluster_server.ssl.certificate` settings in every nodeSet. + +The following manifest shows a complete configuration for a cluster named `quickstart` with a single nodeSet named `default`: + +```yaml +apiVersion: elasticsearch.k8s.elastic.co/v1 +kind: Elasticsearch +metadata: + name: quickstart +spec: + version: 8.16.1 + remoteClusterServer: + enabled: true + transport: + tls: + certificateAuthorities: + configMapName: trust + selfSignedCertificates: + disabled: true + nodeSets: + - name: default + count: 3 + config: + xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/cert-manager-certs/tls.key + xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/cert-manager-certs/tls.crt + xpack.security.remote_cluster_server.ssl.key: /usr/share/elasticsearch/config/cert-manager-certs/tls.key <1> + xpack.security.remote_cluster_server.ssl.certificate: /usr/share/elasticsearch/config/cert-manager-certs/tls.crt <1> + podTemplate: + spec: + containers: + - name: elasticsearch + volumeMounts: + - name: transport-certs + mountPath: /usr/share/elasticsearch/config/cert-manager-certs + volumes: + - name: transport-certs + csi: + driver: csi.cert-manager.io + readOnly: true + volumeAttributes: + csi.cert-manager.io/issuer-name: ca-cluster-issuer + csi.cert-manager.io/issuer-kind: ClusterIssuer + csi.cert-manager.io/dns-names: "${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local,quickstart-es-remote-cluster.${POD_NAMESPACE}.svc,${POD_NAME}.quickstart-es-default.${POD_NAMESPACE}.svc" <2> +``` +1. The remote cluster server endpoint uses the same certificate as the transport endpoint. +2. The DNS names include the Pod FQDNs and the remote cluster service FQDN.