Elastic Docs Elastic Cloud Enterprise Reference [3.7] Administering deployments Enable cross-cluster search and cross-cluster replication
« Access clusters of a self-managed environment Edit or remove a trusted environment »

Enabling CCS/R between Elastic Cloud Enterprise and ECKedit

These steps describe how to configure remote clusters between an Elasticsearch cluster in Elastic Cloud Enterprise and an Elasticsearch cluster running within Elastic Cloud on Kubernetes (ECK). Once that’s done, you’ll be able to run CCS queries from Elasticsearch or set up CCR.

Establish trust between two clustersedit

The first step is to establish trust between the two clusters.

Establish trust in the Elastic Cloud Enterprise clusteredit

  1. Save the ECK CA certificate to a file. For a cluster named quickstart, run:

    kubectl get secret quickstart-es-transport-certs-public -o go-template='{{index .data "ca.crt" | base64decode}}' > eck.ca.crt

  1. Update the trust settings for the Elastic Cloud Enterprise deployment. Follow the steps provided in Access clusters of a self-managed environment, and specifically the first three steps in Specify the deployments trusted to be used as remote clusters using TLS certificate as security model.

    • Use the certificate file saved in the first step.
    • Select the Elastic Cloud pattern and enter default.es.local for the Scope ID.
  2. Select Save and then download the CA Certificate and trust.yml file. These files can also be retrieved in the Security page of the deployment. You will use these files in the next set of steps.

Establish trust in the ECK clusteredit

  1. Upload the Elastic Cloud Enterprise certificate (that you downloaded in the last step of the previous section) as a Kubernetes secret.

    kubectl create secret generic ce-aws-cert --from-file=<path to certificate file>

  2. Upload the trust.yml file (that you downloaded in the last step of the previous section) as a Kubernetes config map.

    kubectl create configmap quickstart-trust --from-file=<path to trust.yml>

  3. Edit the Elasticsearch kubernetes resource to ensure the following sections are included. This assumes the Elasticsearch deployment is named quickstart. Make sure to replace the CA-Certificate-Filename placeholder with the correct value. Note that these configuration changes are required for all nodeSets. Applying this change requires all pods in all nodeSets to be deleted and recreated, which might take quite a while to complete.

    spec:
  nodeSets:
  - config:
       xpack.security.transport.ssl.certificate_authorities:
       - /usr/share/elasticsearch/config/other/<CA-Certificate-Filename>
       xpack.security.transport.ssl.trust_restrictions.path:  /usr/share/elasticsearch/config/trust-filter/trust.yml
    podTemplate:
      spec:
        containers:
        - name: elasticsearch
           volumeMounts:
           - mountPath: /usr/share/elasticsearch/config/other
              name: ce-aws-cert
           - mountPath: /usr/share/elasticsearch/config/trust-filter
             name: quickstart-trust
        volumes:
        - name: ce-aws-cert
           secret:
             secretName: ce-aws-cert
        - configMap:
             name: quickstart-trust
           name: quickstart-trust

Setup CCS/Redit

Now that trust has been established, you can set up CCS/R from the ECK cluster to the Elastic Cloud Enterprise cluster or from the Elastic Cloud Enterprise cluster to the ECK cluster.

ECK Cluster to Elastic Cloud Enterprise clusteredit

Configure the ECK cluster using certificate based authentication.

Elastic Cloud Enterprise cluster to ECK Clusteredit

Follow the steps outlined in the ECK documentation.

« Access clusters of a self-managed environment Edit or remove a trusted environment »