From 30957b91a784e59fe96ef8ce561ca0f4c13a4055 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 11:17:18 +0100 Subject: [PATCH 01/23] Document how to set up remote clusters across k8s boundaries --- docs/elasticsearch-specification.asciidoc | 2 + docs/remote-clusters.asciidoc | 125 ++++++++++++++++++++++ 2 files changed, 127 insertions(+) create mode 100644 docs/remote-clusters.asciidoc diff --git a/docs/elasticsearch-specification.asciidoc b/docs/elasticsearch-specification.asciidoc index 4649689f21..20d7600c7f 100644 --- a/docs/elasticsearch-specification.asciidoc +++ b/docs/elasticsearch-specification.asciidoc @@ -29,6 +29,7 @@ Before you deploy and run ECK, take some time to look at the basic and advanced - <<{p}-advanced-node-scheduling,Advanced Elasticsearch node scheduling>> - <<{p}-orchestration>> - <<{p}-snapshots,Create automated snapshots>> +- <<{p}-remote-clusters,Remote clusters>> - <<{p}-readiness>> - <<{p}-prestop>> @@ -547,6 +548,7 @@ spec: include::orchestration.asciidoc[] include::advanced-node-scheduling.asciidoc[] include::snapshots.asciidoc[] +include::remote-clusters.asciidoc[] [id="{p}-readiness"] diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc new file mode 100644 index 0000000000..e3ad27bfd6 --- /dev/null +++ b/docs/remote-clusters.asciidoc @@ -0,0 +1,125 @@ +ifdef::env-github[] +**** +link:https://www.elastic.co/guide/en/cloud-on-k8s/master/k8s-remote-clusters.html[View this document on the Elastic website] +**** +endif::[] +[id="{p}-remote-clusters"] +=== Remote clusters + +The link:https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-remote-clusters.html[remote clusters module] in Elasticsearch enables you to establish uni-directional connections to a remote cluster. This functionality is used in cross-cluster replication and cross-cluster search. + +When using remote cluster connections with ECK the necessary setup depends on where the remote cluster is deployed. + +==== Both clusters are in the same Kubernetes cluster + +TBD + +==== One of the clusters is not in the same Kubernetes cluster + +NOTE: While it is technically possible to configure a remote cluster connection to an Elasticsearch cluster residing in Kubernetes in earlier versions, this guide only covers the setup for Elasticsearch 7.6 and later. Elasticsearch 7.6 introduces improved support for the indirection introduced by Kubernetes services which significantly simplifies the setup. + +You can configure a remote cluster connection to an Elasticsearch cluster managed by ECK from another cluster outside of Kubernetes or hosted in a different Kubernetes cluster as follows. + +. Ensure that both clusters trust each others certificate authority. +. Configure the remote cluster connection via the Elasticsearch REST API. + +For the purposes of this guide we use the following running example: + +* `cluster_one` resides inside Kubernetes and is managed by ECK +* `cluster_two` is not hosted inside the same Kubernetes cluster as `cluster_one` and may even not be managed by an ECK instance + +We will configure `cluster_one` as a remote cluster in `cluster_two`. + + +===== Ensure both clusters trust each others certificate authority + +The certificate authority used by ECK to issue certificates for the Elasticsearch transport layer is stored in a secret named `-es-transport-certs-public`. Extract the certificate for `cluster_one` as follows: + +[source,sh] +---- +kubectl get secret cluster_one-es-transport-certs-public \ +-o go-template='{{index .data "ca.crt" | base64decode}}' > remote.ca.crt +---- + +You then need to configure the CA as one of the trusted CAs in `cluster_two`. If that cluster is hosted outside of Kubernetes simply add the CA you extracted to the list of CAs in link:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_3[`xpack.security.transport.ssl.certificate_authorities`] + +If `cluster_two` cluster is also managed by an ECK instance, proceed as follows: + +Create a secret with the CA certificate you just extracted: +[source,sh] +---- +kubectl create secret generic remote-certs --from-file=remote.ca.crt +---- + +Use this secret to configure `cluster_one`'s CA as a trusted CA in `cluster_two`: + +[source,yaml,subs="attributes"] +---- +apiVersion: elasticsearch.k8s.elastic.co/{eck} +kind: Elasticsearch +metadata: + name: cluster_two +spec: + nodeSets: + - config: + xpack.security.transport.ssl.certificate_authorities: + - /usr/share/elasticsearch/config/other/remote.ca.crt + count: 3 + name: default + podTemplate: + spec: + containers: + - name: elasticsearch + volumeMounts: + - mountPath: /usr/share/elasticsearch/config/other + name: remote-certs + volumes: + - name: remote-certs + secret: + secretName: remote-ca + version: 7.6.0 +---- + +Repeat the steps with reversed roles adding the CA of `cluster_two` to `cluster_one`. + +===== Configure the remote cluster connection via the Elasticsearch REST API + +Expose the transport layer of `cluster_one` to `cluster_two` which is residing outside of `cluster_one`'s Kubernetes cluster. + +[source,yaml] +---- +apiVersion: v1 +kind: Service +metadata: + name: cluster_one-es-transport +spec: + selector: + common.k8s.elastic.co/type: elasticsearch + elasticsearch.k8s.elastic.co/cluster-name: cluster_one + type: LoadBalancer + ports: + - protocol: TCP + port: 9300 + targetPort: 9300 +---- + +Finally configure `cluster_one` as a remote cluster in `cluster_two` via the Elasticsearch REST API: + +[source,sh] +---- +PUT _cluster/settings +{ + "persistent": { + "cluster": { + "remote": { + "cluster_one": { + "mode": "proxy", <1> + "proxy_address": "${LOADBALANCER_IP}:9300" <2> + } + } + } + } +} +---- +<1> setup the remote connection in "proxy" mode as `cluster_two` will connect to `cluster_one` only through the Kubernetes service abstraction and not to individual nodes directly. +<2> `${LOADBALANCER_IP}` will be the IP address assigned to the `LoadBalancer` configured in the transport service above or it can also be a DNS name depending on your setup. From 77c4b45ac1c71f028aa9b999307f0c236bb5a2ce Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 11:22:23 +0100 Subject: [PATCH 02/23] Remove redundant cluster --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index e3ad27bfd6..89b4774895 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -43,7 +43,7 @@ kubectl get secret cluster_one-es-transport-certs-public \ You then need to configure the CA as one of the trusted CAs in `cluster_two`. If that cluster is hosted outside of Kubernetes simply add the CA you extracted to the list of CAs in link:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_3[`xpack.security.transport.ssl.certificate_authorities`] -If `cluster_two` cluster is also managed by an ECK instance, proceed as follows: +If `cluster_two` is also managed by an ECK instance, proceed as follows: Create a secret with the CA certificate you just extracted: [source,sh] From c1e2a5428c05ac3341c444a687e869b65c54d57b Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 11:24:56 +0100 Subject: [PATCH 03/23] Fix example --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 89b4774895..b5de280bc5 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -76,7 +76,7 @@ spec: volumes: - name: remote-certs secret: - secretName: remote-ca + secretName: remote-certs version: 7.6.0 ---- From d3800ff017d03b782303c506891b51853ae2eb76 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:06:24 +0100 Subject: [PATCH 04/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index b5de280bc5..52175a7261 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -10,7 +10,8 @@ The link:https://www.elastic.co/guide/en/elasticsearch/reference/current/modules When using remote cluster connections with ECK the necessary setup depends on where the remote cluster is deployed. -==== Both clusters are in the same Kubernetes cluster +[id="{p}-remote-clusters-connect-internal"] +==== Connect from an Elasticsearch cluster running in the same Kubernetes cluster TBD From cdcc166c5dd40098a3205aa8affb236b49133c0e Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:06:42 +0100 Subject: [PATCH 05/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 52175a7261..1946d669f2 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -15,7 +15,8 @@ When using remote cluster connections with ECK the necessary setup depends on wh TBD -==== One of the clusters is not in the same Kubernetes cluster +[id="{p}-remote-clusters-connect-external"] +==== Connect from an Elasticsearch cluster running outside the Kubernetes cluster NOTE: While it is technically possible to configure a remote cluster connection to an Elasticsearch cluster residing in Kubernetes in earlier versions, this guide only covers the setup for Elasticsearch 7.6 and later. Elasticsearch 7.6 introduces improved support for the indirection introduced by Kubernetes services which significantly simplifies the setup. From 53546abf6b12495e021ea2cf26ed66eb3ad4c904 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:06:58 +0100 Subject: [PATCH 06/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 1946d669f2..7336a77ff8 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -8,7 +8,7 @@ endif::[] The link:https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-remote-clusters.html[remote clusters module] in Elasticsearch enables you to establish uni-directional connections to a remote cluster. This functionality is used in cross-cluster replication and cross-cluster search. -When using remote cluster connections with ECK the necessary setup depends on where the remote cluster is deployed. +When using remote cluster connections with ECK, the necessary setup depends on where the remote cluster is deployed. [id="{p}-remote-clusters-connect-internal"] ==== Connect from an Elasticsearch cluster running in the same Kubernetes cluster From c8a06ae05350d72015672ab21806da43929b3bcf Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:07:32 +0100 Subject: [PATCH 07/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 7336a77ff8..3f70a7970f 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -18,7 +18,7 @@ TBD [id="{p}-remote-clusters-connect-external"] ==== Connect from an Elasticsearch cluster running outside the Kubernetes cluster -NOTE: While it is technically possible to configure a remote cluster connection to an Elasticsearch cluster residing in Kubernetes in earlier versions, this guide only covers the setup for Elasticsearch 7.6 and later. Elasticsearch 7.6 introduces improved support for the indirection introduced by Kubernetes services which significantly simplifies the setup. +NOTE: While it is technically possible to configure remote cluster connections using older versions of Elasticsearch, this guide only covers the setup for Elasticsearch 7.6 and later. The setup process is significantly simplified in Elasticsearch 7.6 due to improved support for the indirection introduced by Kubernetes services. You can configure a remote cluster connection to an Elasticsearch cluster managed by ECK from another cluster outside of Kubernetes or hosted in a different Kubernetes cluster as follows. From 033140c8d659217160a0fa5c0628777deb1b232e Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:08:24 +0100 Subject: [PATCH 08/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 3f70a7970f..7ee73b2ea4 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -20,7 +20,7 @@ TBD NOTE: While it is technically possible to configure remote cluster connections using older versions of Elasticsearch, this guide only covers the setup for Elasticsearch 7.6 and later. The setup process is significantly simplified in Elasticsearch 7.6 due to improved support for the indirection introduced by Kubernetes services. -You can configure a remote cluster connection to an Elasticsearch cluster managed by ECK from another cluster outside of Kubernetes or hosted in a different Kubernetes cluster as follows. +You can configure a remote cluster connection to an ECK-managed Elasticsearch cluster from another cluster running outside the Kubernetes cluster as follows: . Ensure that both clusters trust each others certificate authority. . Configure the remote cluster connection via the Elasticsearch REST API. From c2e5e9c4bc64274e8c94de4de8095f267bb7668d Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:08:53 +0100 Subject: [PATCH 09/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 7ee73b2ea4..7638dc0c43 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -22,7 +22,7 @@ NOTE: While it is technically possible to configure remote cluster connections u You can configure a remote cluster connection to an ECK-managed Elasticsearch cluster from another cluster running outside the Kubernetes cluster as follows: -. Ensure that both clusters trust each others certificate authority. +. Ensure that both clusters trust each other's certificate authority. . Configure the remote cluster connection via the Elasticsearch REST API. For the purposes of this guide we use the following running example: From c1d7ced334297eeb326ee8f5d4c4150ec879c38b Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:09:13 +0100 Subject: [PATCH 10/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 7638dc0c43..84812b5b74 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -28,7 +28,7 @@ You can configure a remote cluster connection to an ECK-managed Elasticsearch cl For the purposes of this guide we use the following running example: * `cluster_one` resides inside Kubernetes and is managed by ECK -* `cluster_two` is not hosted inside the same Kubernetes cluster as `cluster_one` and may even not be managed by an ECK instance +* `cluster_two` is not hosted inside the same Kubernetes cluster as `cluster_one` and may not even be managed by ECK We will configure `cluster_one` as a remote cluster in `cluster_two`. From bc32c85615c9de222bc5381dfc780301c5ad1b66 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:09:33 +0100 Subject: [PATCH 11/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 84812b5b74..1388900d43 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -25,7 +25,7 @@ You can configure a remote cluster connection to an ECK-managed Elasticsearch cl . Ensure that both clusters trust each other's certificate authority. . Configure the remote cluster connection via the Elasticsearch REST API. -For the purposes of this guide we use the following running example: +For illustration purposes, consider the following example: * `cluster_one` resides inside Kubernetes and is managed by ECK * `cluster_two` is not hosted inside the same Kubernetes cluster as `cluster_one` and may not even be managed by ECK From 84faff7b0a07878596964d69b70b3451b57b46b8 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:09:56 +0100 Subject: [PATCH 12/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 1388900d43..b5bbcf38b9 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -30,7 +30,7 @@ For illustration purposes, consider the following example: * `cluster_one` resides inside Kubernetes and is managed by ECK * `cluster_two` is not hosted inside the same Kubernetes cluster as `cluster_one` and may not even be managed by ECK -We will configure `cluster_one` as a remote cluster in `cluster_two`. +To configure `cluster_one` as a remote cluster in `cluster_two`: ===== Ensure both clusters trust each others certificate authority From d6cc47359537ae45f03c2a58a11e9ca6f497ca17 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:14:36 +0100 Subject: [PATCH 13/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index b5bbcf38b9..6a56dbd452 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -124,4 +124,4 @@ PUT _cluster/settings } ---- <1> setup the remote connection in "proxy" mode as `cluster_two` will connect to `cluster_one` only through the Kubernetes service abstraction and not to individual nodes directly. -<2> `${LOADBALANCER_IP}` will be the IP address assigned to the `LoadBalancer` configured in the transport service above or it can also be a DNS name depending on your setup. +<2> Replace `${LOADBALANCER_IP}` with the IP address assigned to the `LoadBalancer` configured above. if you have configured a DNS entry for the service, you can use the DNS name instead of the IP address as well. From e966efca8350152d73a914dc8886ddc8cc558424 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:14:57 +0100 Subject: [PATCH 14/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 6a56dbd452..47dd281d0c 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -123,5 +123,5 @@ PUT _cluster/settings } } ---- -<1> setup the remote connection in "proxy" mode as `cluster_two` will connect to `cluster_one` only through the Kubernetes service abstraction and not to individual nodes directly. +<1> Use "proxy" mode as `cluster_two` will be connecting to `cluster_one` through the Kubernetes service abstraction. <2> Replace `${LOADBALANCER_IP}` with the IP address assigned to the `LoadBalancer` configured above. if you have configured a DNS entry for the service, you can use the DNS name instead of the IP address as well. From f4bdcced0913569cf5f69cec54f2c1c6804a9456 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:15:18 +0100 Subject: [PATCH 15/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 47dd281d0c..5fcacee059 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -105,7 +105,7 @@ spec: targetPort: 9300 ---- -Finally configure `cluster_one` as a remote cluster in `cluster_two` via the Elasticsearch REST API: +Finally, configure `cluster_one` as a remote cluster in `cluster_two` using the Elasticsearch REST API: [source,sh] ---- From aadb778d26c5888cb0ebad191f22360ad0b83fa0 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:16:04 +0100 Subject: [PATCH 16/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 5fcacee059..94534362f2 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -86,7 +86,7 @@ Repeat the steps with reversed roles adding the CA of `cluster_two` to `cluster_ ===== Configure the remote cluster connection via the Elasticsearch REST API -Expose the transport layer of `cluster_one` to `cluster_two` which is residing outside of `cluster_one`'s Kubernetes cluster. +Expose the transport layer of `cluster_one`. [source,yaml] ---- From e87de6c72e705538f5a1a1004b5b32449d424298 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:16:14 +0100 Subject: [PATCH 17/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 94534362f2..dbf9ffa3b0 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -82,7 +82,7 @@ spec: version: 7.6.0 ---- -Repeat the steps with reversed roles adding the CA of `cluster_two` to `cluster_one`. +Repeat the above steps to add the CA of `cluster_two` to `cluster_one` as well. ===== Configure the remote cluster connection via the Elasticsearch REST API From 8201693e2d75bfb87d18b26c08d81752109dca61 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:16:34 +0100 Subject: [PATCH 18/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index dbf9ffa3b0..fa886b9e84 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -57,7 +57,7 @@ Use this secret to configure `cluster_one`'s CA as a trusted CA in `cluster_two` [source,yaml,subs="attributes"] ---- -apiVersion: elasticsearch.k8s.elastic.co/{eck} +apiVersion: elasticsearch.k8s.elastic.co/{eck_crd_version} kind: Elasticsearch metadata: name: cluster_two From 1bd5c84f0f637a3e3e4ab255ff406f385d09820a Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:17:35 +0100 Subject: [PATCH 19/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index fa886b9e84..7cd29f6fe1 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -35,7 +35,7 @@ To configure `cluster_one` as a remote cluster in `cluster_two`: ===== Ensure both clusters trust each others certificate authority -The certificate authority used by ECK to issue certificates for the Elasticsearch transport layer is stored in a secret named `-es-transport-certs-public`. Extract the certificate for `cluster_one` as follows: +The certificate authority (CA) used by ECK to issue certificates for the Elasticsearch transport layer is stored in a secret named `-es-transport-certs-public`. Extract the certificate for `cluster_one` as follows: [source,sh] ---- From 485a6e2a374c56be690849d3993a3b629e959cd6 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 14:18:01 +0100 Subject: [PATCH 20/23] Update docs/remote-clusters.asciidoc Co-Authored-By: Charith Ellawala <52399125+charith-elastic@users.noreply.github.com> --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 7cd29f6fe1..e85c058335 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -43,7 +43,7 @@ kubectl get secret cluster_one-es-transport-certs-public \ -o go-template='{{index .data "ca.crt" | base64decode}}' > remote.ca.crt ---- -You then need to configure the CA as one of the trusted CAs in `cluster_two`. If that cluster is hosted outside of Kubernetes simply add the CA you extracted to the list of CAs in link:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_3[`xpack.security.transport.ssl.certificate_authorities`] +You then need to configure the CA as one of the trusted CAs in `cluster_two`. If that cluster is hosted outside of Kubernetes, simply add the CA certificate extracted in the above step to the list of CAs in link:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_3[`xpack.security.transport.ssl.certificate_authorities`] If `cluster_two` is also managed by an ECK instance, proceed as follows: From 5200fff14e0a125f4d24683f966ad471ac3d9c66 Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 15:38:12 +0100 Subject: [PATCH 21/23] use variable for ES version --- docs/remote-clusters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index e85c058335..87f72dacfe 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -79,7 +79,7 @@ spec: - name: remote-certs secret: secretName: remote-certs - version: 7.6.0 + version: {version} ---- Repeat the above steps to add the CA of `cluster_two` to `cluster_one` as well. From fa56b779c6a435abdf1dfedc04f43db16f751ccc Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Fri, 21 Feb 2020 17:37:18 +0100 Subject: [PATCH 22/23] consistent hyphenation --- docs/remote-clusters.asciidoc | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index 87f72dacfe..df8a69fca2 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -27,25 +27,25 @@ You can configure a remote cluster connection to an ECK-managed Elasticsearch cl For illustration purposes, consider the following example: -* `cluster_one` resides inside Kubernetes and is managed by ECK -* `cluster_two` is not hosted inside the same Kubernetes cluster as `cluster_one` and may not even be managed by ECK +* `cluster-one` resides inside Kubernetes and is managed by ECK +* `cluster-two` is not hosted inside the same Kubernetes cluster as `cluster-one` and may not even be managed by ECK -To configure `cluster_one` as a remote cluster in `cluster_two`: +To configure `cluster-one` as a remote cluster in `cluster-two`: ===== Ensure both clusters trust each others certificate authority -The certificate authority (CA) used by ECK to issue certificates for the Elasticsearch transport layer is stored in a secret named `-es-transport-certs-public`. Extract the certificate for `cluster_one` as follows: +The certificate authority (CA) used by ECK to issue certificates for the Elasticsearch transport layer is stored in a secret named `-es-transport-certs-public`. Extract the certificate for `cluster-one` as follows: [source,sh] ---- -kubectl get secret cluster_one-es-transport-certs-public \ +kubectl get secret cluster-one-es-transport-certs-public \ -o go-template='{{index .data "ca.crt" | base64decode}}' > remote.ca.crt ---- -You then need to configure the CA as one of the trusted CAs in `cluster_two`. If that cluster is hosted outside of Kubernetes, simply add the CA certificate extracted in the above step to the list of CAs in link:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_3[`xpack.security.transport.ssl.certificate_authorities`] +You then need to configure the CA as one of the trusted CAs in `cluster-two`. If that cluster is hosted outside of Kubernetes, simply add the CA certificate extracted in the above step to the list of CAs in link:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_3[`xpack.security.transport.ssl.certificate_authorities`] -If `cluster_two` is also managed by an ECK instance, proceed as follows: +If `cluster-two` is also managed by an ECK instance, proceed as follows: Create a secret with the CA certificate you just extracted: [source,sh] @@ -53,14 +53,14 @@ Create a secret with the CA certificate you just extracted: kubectl create secret generic remote-certs --from-file=remote.ca.crt ---- -Use this secret to configure `cluster_one`'s CA as a trusted CA in `cluster_two`: +Use this secret to configure `cluster-one`'s CA as a trusted CA in `cluster-two`: [source,yaml,subs="attributes"] ---- apiVersion: elasticsearch.k8s.elastic.co/{eck_crd_version} kind: Elasticsearch metadata: - name: cluster_two + name: cluster-two spec: nodeSets: - config: @@ -82,22 +82,22 @@ spec: version: {version} ---- -Repeat the above steps to add the CA of `cluster_two` to `cluster_one` as well. +Repeat the above steps to add the CA of `cluster-two` to `cluster-one` as well. ===== Configure the remote cluster connection via the Elasticsearch REST API -Expose the transport layer of `cluster_one`. +Expose the transport layer of `cluster-one`. [source,yaml] ---- apiVersion: v1 kind: Service metadata: - name: cluster_one-es-transport + name: cluster-one-es-transport spec: selector: common.k8s.elastic.co/type: elasticsearch - elasticsearch.k8s.elastic.co/cluster-name: cluster_one + elasticsearch.k8s.elastic.co/cluster-name: cluster-one type: LoadBalancer ports: - protocol: TCP @@ -105,7 +105,7 @@ spec: targetPort: 9300 ---- -Finally, configure `cluster_one` as a remote cluster in `cluster_two` using the Elasticsearch REST API: +Finally, configure `cluster-one` as a remote cluster in `cluster-two` using the Elasticsearch REST API: [source,sh] ---- @@ -114,7 +114,7 @@ PUT _cluster/settings "persistent": { "cluster": { "remote": { - "cluster_one": { + "cluster-one": { "mode": "proxy", <1> "proxy_address": "${LOADBALANCER_IP}:9300" <2> } @@ -123,5 +123,5 @@ PUT _cluster/settings } } ---- -<1> Use "proxy" mode as `cluster_two` will be connecting to `cluster_one` through the Kubernetes service abstraction. +<1> Use "proxy" mode as `cluster-two` will be connecting to `cluster-one` through the Kubernetes service abstraction. <2> Replace `${LOADBALANCER_IP}` with the IP address assigned to the `LoadBalancer` configured above. if you have configured a DNS entry for the service, you can use the DNS name instead of the IP address as well. From 86496222a7f96fc62a68e3c81373099e6f284c3d Mon Sep 17 00:00:00 2001 From: Peter Brachwitz Date: Mon, 24 Feb 2020 09:05:52 +0100 Subject: [PATCH 23/23] additional review input --- docs/remote-clusters.asciidoc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/remote-clusters.asciidoc b/docs/remote-clusters.asciidoc index df8a69fca2..d8a76d9617 100644 --- a/docs/remote-clusters.asciidoc +++ b/docs/remote-clusters.asciidoc @@ -8,7 +8,7 @@ endif::[] The link:https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-remote-clusters.html[remote clusters module] in Elasticsearch enables you to establish uni-directional connections to a remote cluster. This functionality is used in cross-cluster replication and cross-cluster search. -When using remote cluster connections with ECK, the necessary setup depends on where the remote cluster is deployed. +When using remote cluster connections with ECK, the setup process depends on where the remote cluster is deployed. [id="{p}-remote-clusters-connect-internal"] ==== Connect from an Elasticsearch cluster running in the same Kubernetes cluster @@ -18,7 +18,7 @@ TBD [id="{p}-remote-clusters-connect-external"] ==== Connect from an Elasticsearch cluster running outside the Kubernetes cluster -NOTE: While it is technically possible to configure remote cluster connections using older versions of Elasticsearch, this guide only covers the setup for Elasticsearch 7.6 and later. The setup process is significantly simplified in Elasticsearch 7.6 due to improved support for the indirection introduced by Kubernetes services. +NOTE: While it is technically possible to configure remote cluster connections using older versions of Elasticsearch, this guide only covers the setup for Elasticsearch 7.6 and later. The setup process is significantly simplified in Elasticsearch 7.6 due to improved support for the indirection of Kubernetes services. You can configure a remote cluster connection to an ECK-managed Elasticsearch cluster from another cluster running outside the Kubernetes cluster as follows: @@ -43,7 +43,7 @@ kubectl get secret cluster-one-es-transport-certs-public \ -o go-template='{{index .data "ca.crt" | base64decode}}' > remote.ca.crt ---- -You then need to configure the CA as one of the trusted CAs in `cluster-two`. If that cluster is hosted outside of Kubernetes, simply add the CA certificate extracted in the above step to the list of CAs in link:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_3[`xpack.security.transport.ssl.certificate_authorities`] +You then need to configure the CA as one of the trusted CAs in `cluster-two`. If that cluster is hosted outside of Kubernetes, simply add the CA certificate extracted in the above step to the list of CAs in link:https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html#_pem_encoded_files_3[`xpack.security.transport.ssl.certificate_authorities`]. If `cluster-two` is also managed by an ECK instance, proceed as follows: @@ -98,12 +98,13 @@ spec: selector: common.k8s.elastic.co/type: elasticsearch elasticsearch.k8s.elastic.co/cluster-name: cluster-one - type: LoadBalancer + type: LoadBalancer <1> ports: - protocol: TCP port: 9300 targetPort: 9300 ---- +<1> On cloud providers which support external load balancers, setting the type field to LoadBalancer provisions a load balancer for your Service. Alternatively expose the service via a Kubernetes link:https://kubernetes.io/docs/concepts/services-networking/ingress/[Ingress]. Finally, configure `cluster-one` as a remote cluster in `cluster-two` using the Elasticsearch REST API: