elastic · eedugon · Jun 1, 2026 · May 27, 2026 · May 28, 2026 · May 29, 2026
@@ -29,3 +29,11 @@ spec:
 Enabling the remote cluster server triggers a restart of the {{es}} cluster.
 ::::
 
+::::{note}
+If you use externally managed certificates for the transport layer, ensure that:
+
+* Your certificates cover the remote cluster service (`<cluster-name>-es-remote-cluster`) and Pod FQDNs.
+* Each nodeSet defines the `xpack.security.remote_cluster_server.ssl.key` and `xpack.security.remote_cluster_server.ssl.certificate` settings.
+
+For a complete example, refer to [Configure remote cluster server with externally managed certificates](/deploy-manage/security/k8s-transport-settings.md#k8s-transport-third-party-tools#rcs-third-party).
+::::
@@ -90,7 +90,7 @@
 apiVersion: elasticsearch.k8s.elastic.co/v1
 kind: Elasticsearch
 metadata:
-  name: es
+  name: quickstart
 spec:
   version: 8.16.1
   transport:
@@ -123,10 +123,9 @@
              csi.cert-manager.io/dns-names: "${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local" <3>
 ```
 
 1. Disables the default certificates generated by ECK for the transport layer.
 2. The example assumes that a `ClusterIssuer` by the name of `ca-cluster-issuer` exists and a PEM encoded version of the CA certificate is available in a ConfigMap (in the example named `trust`).  The CA certificate must be in a file called `ca.crt` inside the ConfigMap in the same namespace as the {{es}} resource.
-3. If the remote cluster server is enabled, then the DNS names must also include both:* The DNS name for the related Kubernetes `Service`: `<cluster-name>-es-remote-cluster.${POD_NAMESPACE}.svc`
-* The Pod DNS name: `${POD_NAME}.<cluster-name>-es-<nodeset-name>.${POD_NAMESPACE}.svc`
+3. If the remote cluster server is enabled, additional DNS names and nodeSet configuration are required. For details, refer to [Configure remote cluster server with externally managed certificates](#rcs-third-party).
 
 The following manifest is only provided to illustrate how these certificates can be configured in principle, using the trust-manager Bundle resource and cert-manager provisioned certificates:
 
@@ -166,4 +165,57 @@
 
 When transitioning from a configuration that uses externally provisioned certificates back to ECK-managed self-signed transport certificates it is important to ensure that the externally provisioned CA remains configured as a trusted CA through the `.spec.transport.tls.certificateAuthorities` attribute until all nodes in the cluster have been updated to use the ECK-managed certificates. When transitioning from ECK-managed certificates to externally provisioned ones, ECK ensures automatically that the ECK CA remains configured until the transition has been completed.
 
+### Configure remote cluster server with externally managed certificates [rcs-third-party]
+
+If you enable the remote cluster server interface for [Remote clusters](/deploy-manage/remote-clusters/eck-remote-clusters-landing.md) with API key-based authentication and use third-party tools to issue transport certificates, you must apply additional configuration beyond the settings shown in the previous example:
+
+* Extend the certificate SANs to cover the remote cluster service and Pod FQDNs:
+  * `<cluster-name>-es-remote-cluster.${POD_NAMESPACE}.svc`
+  * `${POD_NAME}.<cluster-name>-es-<nodeset-name>.${POD_NAMESPACE}.svc`
+* Configure the `xpack.security.remote_cluster_server.ssl.key` and `xpack.security.remote_cluster_server.ssl.certificate` settings in every nodeSet.
+
+The following manifest shows a complete configuration for a cluster named `quickstart` with a single nodeSet named `default`:
+
+```yaml
+apiVersion: elasticsearch.k8s.elastic.co/v1
+kind: Elasticsearch
+metadata:
+  name: quickstart
+spec:
+  version: 8.16.1
+  remoteClusterServer:
+    enabled: true
+  transport:
+    tls:
+      certificateAuthorities:
+        configMapName: trust
+      selfSignedCertificates:
+        disabled: true
+  nodeSets:
+  - name: default
+    count: 3
+    config:
+      xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/cert-manager-certs/tls.key
+      xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/cert-manager-certs/tls.crt
+      xpack.security.remote_cluster_server.ssl.key: /usr/share/elasticsearch/config/cert-manager-certs/tls.key <1>
+      xpack.security.remote_cluster_server.ssl.certificate: /usr/share/elasticsearch/config/cert-manager-certs/tls.crt <1>
+    podTemplate:
+      spec:
+        containers:
+        - name: elasticsearch
+          volumeMounts:
+          - name: transport-certs
+            mountPath: /usr/share/elasticsearch/config/cert-manager-certs
+        volumes:
+        - name: transport-certs
+          csi:
+            driver: csi.cert-manager.io
+            readOnly: true
+            volumeAttributes:
+              csi.cert-manager.io/issuer-name: ca-cluster-issuer
+              csi.cert-manager.io/issuer-kind: ClusterIssuer
+              csi.cert-manager.io/dns-names: "${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local,quickstart-es-remote-cluster.${POD_NAMESPACE}.svc,${POD_NAME}.quickstart-es-default.${POD_NAMESPACE}.svc" <2>
+```
+1. The remote cluster server endpoint uses the same certificate as the transport endpoint.
+2. The DNS names include the Pod FQDNs and the remote cluster service FQDN.