elastic · eedugon · Jun 1, 2026 · May 27, 2026 · May 28, 2026 · May 29, 2026
@@ -29,3 +29,6 @@ spec:
 Enabling the remote cluster server triggers a restart of the {{es}} cluster.
 ::::
 
+::::{note}
+If you use externally managed certificates for the transport layer, you must manually configure the remote cluster server interface. Ensure that your certificates cover the related {{k8s}} service (`<cluster-name>-es-remote-cluster`) and Pod FQDNs, and that each nodeSet defines the corresponding `xpack.security.remote_cluster_server.ssl.key` and `xpack.security.remote_cluster_server.ssl.certificate` settings. For a complete example, refer to [Issue node transport certificates with third-party tools](/deploy-manage/security/k8s-transport-settings.md#k8s-transport-third-party-tools).
+::::
@@ -90,7 +90,7 @@
 apiVersion: elasticsearch.k8s.elastic.co/v1
 kind: Elasticsearch
 metadata:
-  name: es
+  name: quickstart
 spec:
   version: 8.16.1
   transport:
@@ -123,10 +123,63 @@
              csi.cert-manager.io/dns-names: "${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local" <3>
 ```
 
 1. Disables the default certificates generated by ECK for the transport layer.
 2. The example assumes that a `ClusterIssuer` by the name of `ca-cluster-issuer` exists and a PEM encoded version of the CA certificate is available in a ConfigMap (in the example named `trust`).  The CA certificate must be in a file called `ca.crt` inside the ConfigMap in the same namespace as the {{es}} resource.
-3. If the remote cluster server is enabled, then the DNS names must also include both:* The DNS name for the related Kubernetes `Service`: `<cluster-name>-es-remote-cluster.${POD_NAMESPACE}.svc`
-* The Pod DNS name: `${POD_NAME}.<cluster-name>-es-<nodeset-name>.${POD_NAMESPACE}.svc`
+3. If the remote cluster server is enabled, the DNS names and nodeSet configuration require additional settings, as shown in the following example.
+
+::::{dropdown} Remote cluster server with third-party transport certificates
+If you enable the remote cluster server interface for [Remote clusters](/deploy-manage/remote-clusters/eck-remote-clusters-landing.md) with API key-based authentication and use third-party tools to issue transport certificates, you must apply additional configuration beyond the settings shown in the previous example:
+
+* DNS names: configure `csi.cert-manager.io/dns-names` to include the remote cluster service and Pod FQDNs, in the following format:
+  * `<cluster-name>-es-remote-cluster.${POD_NAMESPACE}.svc`
+  * `${POD_NAME}.<cluster-name>-es-<nodeset-name>.${POD_NAMESPACE}.svc`
+* Remote cluster server SSL settings: add the certificate and key.
+
+The following manifest shows a complete configuration for a cluster named `quickstart` with a single nodeSet named `default`:
+
+```yaml
+apiVersion: elasticsearch.k8s.elastic.co/v1
+kind: Elasticsearch
+metadata:
+  name: quickstart
+spec:
+  version: 8.16.1
+  remoteClusterServer:
+    enabled: true
+  transport:
+    tls:
+      certificateAuthorities:
+        configMapName: trust
+      selfSignedCertificates:
+        disabled: true
+  nodeSets:
+  - name: default
+    count: 3
+    config:
+      xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/cert-manager-certs/tls.key
+      xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/cert-manager-certs/tls.crt
+      xpack.security.remote_cluster_server.ssl.key: /usr/share/elasticsearch/config/cert-manager-certs/tls.key <1>
+      xpack.security.remote_cluster_server.ssl.certificate: /usr/share/elasticsearch/config/cert-manager-certs/tls.crt <1>
+    podTemplate:
+      spec:
+        containers:
+        - name: elasticsearch
+          volumeMounts:
+          - name: transport-certs
+            mountPath: /usr/share/elasticsearch/config/cert-manager-certs
+        volumes:
+        - name: transport-certs
+          csi:
+            driver: csi.cert-manager.io
+            readOnly: true
+            volumeAttributes:
+              csi.cert-manager.io/issuer-name: ca-cluster-issuer
+              csi.cert-manager.io/issuer-kind: ClusterIssuer
+              csi.cert-manager.io/dns-names: "${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local,quickstart-es-remote-cluster.${POD_NAMESPACE}.svc,${POD_NAME}.quickstart-es-default.${POD_NAMESPACE}.svc" <2>
+```
+1. The remote cluster server endpoint uses the same certificate as the transport endpoint.
+2. The DNS names include the Pod FQDNs and the remote cluster service FQDN.
+::::
 
 The following manifest is only provided to illustrate how these certificates can be configured in principle, using the trust-manager Bundle resource and cert-manager provisioned certificates: