So we are playing around with ECK on multiple clusters in different region. We want to establish cross cluster search from one central cluster.
How can we set the ca-cert for our clusters during creation?
We followed the instructions here to set the http certificate but how do we set the CA cert?
To configure additional CA certificates you can just use the xpack.security.transport.ssl.certificate_authorities key as described in the Elasticsearch documentation, there is nothing ECK specific here to keep in mind other than mounting the CA certificates into the pod.
An example Elasticsearch manifest for ECK could then look like this:
This assumes that a secret called cluster-two-es-transport-certs-public exists containing the CA certs of the other cluster you want to connect to. You will also have to configure the CA of this cluster on the other side to establish mutual trust.
It is maybe worth pointing out (for others reading this) that setting up the CAs is in itself not sufficient to configure remote clusters across different regions/k8s clusters. You also would have to make sure that all nodes in the remote cluster are reachable from the other cluster eg. via some form of router (all depending on your setup so hard to make a specific recommendation)
We still have the issue of having to specify one Kubernetes node as proxy. Haven't gotten any working TCP load balancing. Amazon is our cloud right now.
So I've got the CA cert now being used by both clusters with the xpack.security.transport.ssl.certificate_authorities config value.
However I'm still getting org.elasticsearch.transport.TransportException: handshake failed because connection reset as an error when trying to connect to the remote cluster.
I've just taken the CA cert from the remote cluster's secret and put it in the certificate_authorities for the other cluster.
It was my mistake in mis-reading the docs. I thought it was only the querying cluster that needed the CA cert of the remote cluster added, but you need the CA of each added to the other.
@iremmats, thank you for the proxy hint, that bit me as well!
Is there a way to "prime" the cluster with a pre-generated CA cert for transport, so that when the cluster comes up it uses a well-known CA to generate the cert secrets so I don't need to look it up after the cluster starts?
@glennslaven, for transport protocol we don't support user configured certificates. At least not at the moment with 1.0.
But even for HTTP, there's no way to put just only the CA (and key) and make the operator to sign the certificates with that CA. If custom certificates are used (for http) we expect the users to give all three: CA, cert and private key.
Is there any plans to have this by GA. We are looking at this for OpenShift and ECK without the ability to pass these to secrets to allow CCS and CCR seems like a deal breaker for many that don't use AWS, GCE, etc.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.