Enabling CCS/R between Elasticsearch Service and ECKedit

These steps describe how to configure remote clusters between an Elasticsearch cluster in Elasticsearch Service and an Elasticsearch cluster running within Elastic Cloud on Kubernetes (ECK). Once that’s done, you’ll be able to run CCS queries from Elasticsearch or set up CCR.

Establish trust between two clustersedit

The first step is to establish trust between the two clusters.

Establish trust in the Elasticsearch Service clusteredit

  1. Save the ECK CA certificate to a file. For a cluster named quickstart, run:

    kubectl get secret quickstart-es-transport-certs-public -o go-template='{{index .data "ca.crt" | base64decode}}' > eck.ca.crt
  1. Update the trust settings for the Elasticsearch Service deployment. Follow the steps provided in deployment trust settings, and specifically the first three steps for a self-managed environment

    • Use the certificate file saved in the first step.
    • Select the Elastic Cloud pattern and enter default.es.local for the Scope ID.
  2. Select Save and then download the CA Certificate and trust.yml file. These files can also be retrieved in the Security page of the deployment. You will use these files in the next set of steps.

Establish trust in the ECK clusteredit

  1. Upload the Elasticsearch Service certificate (that you downloaded in the last step of the previous section) as a Kubernetes secret.

    kubectl create secret generic ce-aws-cert --from-file=<path to certificate file>
  2. Upload the trust.yml file (that you downloaded in the last step of the previous section) as a Kubernetes config map.

    kubectl create configmap quickstart-trust --from-file=<path to trust.yml>
  3. Edit the Elasticsearch kubernetes resource to ensure the following sections are included. This assumes the Elasticsearch deployment is named quickstart. Make sure to replace the CA-Certificate-Filename placeholder with the correct value. Note that these configuration changes are required for all nodeSets. Applying this change will require all pods in all nodeSets to be deleted and recreated, which might take quite a while to complete.

    spec:
      nodeSets:
      - config:
           xpack.security.transport.ssl.certificate_authorities:
           - /usr/share/elasticsearch/config/other/<CA-Certificate-Filename>
           xpack.security.transport.ssl.trust_restrictions.path:  /usr/share/elasticsearch/config/trust-filter/trust.yml
        podTemplate:
          spec:
            containers:
            - name: elasticsearch
               volumeMounts:
               - mountPath: /usr/share/elasticsearch/config/other
                  name: ce-aws-cert
               - mountPath: /usr/share/elasticsearch/config/trust-filter
                 name: quickstart-trust
            volumes:
            - name: ce-aws-cert
               secret:
                 secretName: ce-aws-cert
            - configMap:
                 name: quickstart-trust
               name: quickstart-trust

Setup CCS/Redit

Now that trust has been established, you can set up CCS/R from the ECK cluster to the Elasticsearch Service cluster or from the Elasticsearch Service cluster to the ECK cluster.

ECK Cluster to Elasticsearch Service clusteredit

Configure the ECK cluster using Kibana or the API.

Elasticsearch Service cluster to ECK Clusteredit

Follow the steps outlined in the ECK documentation.