Enabling CCS/R between Elasticsearch Service and ECKedit

These steps describe how to configure remote clusters between an Elasticsearch cluster in Elasticsearch Service and an Elasticsearch cluster running within Elastic Cloud on Kubernetes (ECK). Once that’s done, you’ll be able to run CCS queries from Elasticsearch or set up CCR.

Establish trust between two clustersedit

The first step is to establish trust between the two clusters.

Establish trust in the Elasticsearch Service clusteredit

  1. Save the ECK CA certificate to a file. For a cluster named quickstart, run:

    kubectl get secret quickstart-es-transport-certs-public -o go-template='{{index .data "ca.crt" | base64decode}}' > eck.ca.crt
  1. Update the trust settings for the Elasticsearch Service deployment. Follow the steps provided in Access clusters of a self-managed environment, and specifically the first three steps in Specify the deployments trusted to be used as remote clusters using TLS certificate as security model.

    • Use the certificate file saved in the first step.
    • Select the Elastic Cloud pattern and enter default.es.local for the Scope ID.
  2. Select Save and then download the CA Certificate and trust.yml file. These files can also be retrieved in the Security page of the deployment. You will use these files in the next set of steps.

Establish trust in the ECK clusteredit

  1. Upload the Elasticsearch Service certificate (that you downloaded in the last step of the previous section) as a Kubernetes secret.

    kubectl create secret generic ce-aws-cert --from-file=<path to certificate file>
  2. Upload the trust.yml file (that you downloaded in the last step of the previous section) as a Kubernetes config map.

    kubectl create configmap quickstart-trust --from-file=<path to trust.yml>
  3. Edit the Elasticsearch kubernetes resource to ensure the following sections are included. This assumes the Elasticsearch deployment is named quickstart. Make sure to replace the CA-Certificate-Filename placeholder with the correct value. Note that these configuration changes are required for all nodeSets. Applying this change requires all pods in all nodeSets to be deleted and recreated, which might take quite a while to complete.

      - config:
           - /usr/share/elasticsearch/config/other/<CA-Certificate-Filename>
           xpack.security.transport.ssl.trust_restrictions.path:  /usr/share/elasticsearch/config/trust-filter/trust.yml
            - name: elasticsearch
               - mountPath: /usr/share/elasticsearch/config/other
                  name: ce-aws-cert
               - mountPath: /usr/share/elasticsearch/config/trust-filter
                 name: quickstart-trust
            - name: ce-aws-cert
                 secretName: ce-aws-cert
            - configMap:
                 name: quickstart-trust
               name: quickstart-trust

Setup CCS/Redit

Now that trust has been established, you can set up CCS/R from the ECK cluster to the Elasticsearch Service cluster or from the Elasticsearch Service cluster to the ECK cluster.

ECK Cluster to Elasticsearch Service clusteredit

Configure the ECK cluster using certificate based authentication.

Elasticsearch Service cluster to ECK Clusteredit

Follow the steps outlined in the ECK documentation.