How to run ES in a separate namespace from clients?

I want to put my elasticsearch pods in a separate namespace but I'm not sure how to accomplish this. I have clients running in 2 other namespaces that will need to access the elastic cluster.

The secret containing the credentials is created into the same namespace where the elastic pods are running. That means my clients don't have access to it because those pods cannot read secrets outside their namespace. I can copy the secret to another namespace but this will require a manual repeat of this process anytime the secret changes.

I've looked into Replicator ( to copy the credentials secret to the other namespaces. It works great but I can't figure out how to tell the ES operator to annotate the secret such that Replicator will pick it up.

It seems my pattern of placing ES into a separate namespace from the clients is a normal use case and I imagine this has been solved. Can someone point me toward a solution?

Thank you,

You are correct there is not a way to add annotations to the automatically generated secret. In a future version, you will be able to create additional ES users from secrets. So part of your deployment process could be to create Elasticsearch and a secret annotated appropriately so that it can be copied into the remote namespace (or since you are generating the credentials, you can distribute them however you'd like). There is an open PR with example usage. Does that make sense for your use case?

Thank you for the reply. Am I understanding this correctly... if I can create the ES-user secret before creating the elastic resource, the secret I create will be used by the operator and not modified? This would allow me to add the annotations needed by Replicator. I'm concerned the ES operator may modify this secret and remove the annotations.