The transport module in Elasticsearch is used for internal communication between nodes within the cluster as well as communication between remote clusters. See the Elasticsearch documentation for details. For customization options of the HTTP layer see Services and TLS certificates.
spec.transport.service. section, you can change the Kubernetes service used to expose the Elasticsearch transport module:
spec: transport: service: metadata: labels: my-custom: label spec: type: LoadBalancer
Check the Kubernetes Publishing Services (ServiceTypes) that are currently available.
When you change the
clusterIP setting of the service, ECK deletes and re-creates the service, as
clusterIP is an immutable field. This will cause a short network disruption, but in most cases it should not affect existing connections as the transport module uses long-lived TCP connections.
Elasticsearch uses X.509 certificates to establish encrypted and authenticated connections across nodes in the cluster. By default, ECK creates a self-signed CA certificate to issue a certificate for each node in the cluster.
You can use a Kubernetes secret to provide your own CA instead of the self-signed certificate that ECK will then use to create node certificates for transport connections.
The CA certificate must be stored in the secret under
ca.crt and the private key must be stored under
You need to reference the name of a secret that contains the TLS private key and the CA certificate, in the
spec.transport.tls.certificate section, as shown in this example:
spec: transport: tls: certificate: secretName: custom-ca
The operator generates a self-signed TLS certificates for each node in the cluster. You can add extra IP addresses or DNS names to the generated certificates as follows:
apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: quickstart spec: version: 7.15.1 transport: tls: subjectAltNames: - ip: 22.214.171.124 - dns: hulk.example.com nodeSets: - name: default count: 3