Secure settingsedit
You can specify secure settings with Kubernetes secrets. The secrets should contain a key-value pair for each secure setting you want to add. ECK automatically injects these settings into the keystore on each Elasticsearch node before it starts Elasticsearch.
It is possible to reference several secrets:
spec: secureSettings: - secretName: one-secure-settings-secret - secretName: two-secure-settings-secret
For the following secret, a gcs.client.default.credentials_file key will be created in Elasticsearch’s keystore with the provided value:
apiVersion: v1 kind: Secret metadata: name: one-secure-settings-secret type: Opaque data: gcs.client.default.credentials_file: RWxhc3RpYyBDbG91ZCBvbiBLOHMgKEVDSykK
You can export a subset of secret keys and also project keys to specific paths using the entries, key and path fields:
spec:
secureSettings:
- secretName: gcs-secure-settings
entries:
- key: gcs.client.default.credentials_file
- key: gcs_client_1
path: gcs.client.client_1.credentials_file
- key: gcs_client_2
path: gcs.client.client_2.credentials_file
For the three entries listed in the gcs-secure-settings secret, three keys are created in Elasticsearch’s keystore:
-
gcs.client.default.credentials_file -
gcs.client.client_1.credentials_file -
gcs.client.client_2.credentials_file
The referenced gcs-secure-settings secret now looks like this:
apiVersion: v1 kind: Secret metadata: name: gcs-secure-settings type: Opaque data: gcs.client.default.credentials_file: RWxhc3RpYyBDbG91ZCBvbiBLOHMgKEVDSykK gcs_client_1: RWxhc3RpYyBDbG91ZCBvbiBLOHMgKEVDSykgLSBHQ1MgY2xpZW50IDEK gcs_client_2: RWxhc3RpYyBDbG91ZCBvbiBLOHMgKEVDSykgLSBHQ1MgY2xpZW50IDIK
Check How to create automated snapshots for an example use case.