Remote clusters between Elastic Cloud Hosted and ECK
ECK ECH
These steps describe how to configure remote clusters between an Elasticsearch cluster in Elastic Cloud Hosted (ECH) and an Elasticsearch cluster running within Elastic Cloud on Kubernetes (ECK). Once that’s done, you’ll be able to run CCS queries from Elasticsearch or set up CCR.
The first step is to establish trust between the two clusters, by adding the CA certificate and trust details of each environment into the other.
This guide uses TLS certificates to secure remote cluster connections and follows a similar approach to Access clusters of a self-managed environment.
To configure trust in the ECH deployment:
Save the Elasticsearch transport CA certificate of your ECK deployment. For an Elasticsearch cluster named
quickstart
, run:kubectl get secret quickstart-es-transport-certs-public -o go-template='{{index .data "ca.crt" | base64decode}}' > eck-ca.crt
This command saves the certificate to
eck-ca.crt
.Update the trust settings for the Elastic Cloud Hosted deployment:
From the Security menu, select Remote Connections > Add trusted environment, choose Self-managed, and click Next.
Select Certificates as the authentication mechanism and click Next.
In Add trusted CA certificate, upload the
eck-ca.crt
file retrieved in the previous step.In Select trusted clusters, configure the following:
- Select Trust clusters whose Common Name follows the Elastic pattern.
- For Scope ID, enter
<kubernetes-namespace>.es.local
, replacing<kubernetes-namespace>
with the namespace of your ECK cluster. - In Trust, select All deployments.
In Name the environment, enter a name for the trusted environment. That name will appear in the trust summary of your deployment’s Security page.
Select Create trust to complete the configuration.
On the confirmation screen, when prompted Have you already set up trust from the other environment?, select No, I have NOT set up trust from the other environment yet. Download both the ECH deployment CA certificate and the
trust.yml
file. These files can also be retrieved from the Security page of the deployment. You’ll use these files to configure trust in the ECK deployment.
The trust.yml
file you downloaded from the Cloud UI includes a subject name pattern that isn't valid for your ECK cluster. Before using it in your ECK cluster, you need to update the file with the pattern that matches your cluster.
Replace the line corresponding to the Scope ID
you entered when configuring trust in the ECH deployment:
"*.node.*.cluster.<kubernetes-namespace>.es.local.account"
Replace it with the correct subject name for your ECK cluster. The new subject name should use the following pattern:
"*.node.<cluster-name>.<kubernetes-namespace>.es.local"
If you don’t update this entry, Elasticsearch nodes of your ECK deployment might fail to start or join the cluster due to failed trust validation.
For example, the original downloaded file might contain the following:
trust.subject_name: - "*.node.2dc556bb4bd040e00d0135683b66a2f6.cluster.1075999151.account" - "*.node.*.cluster.<kubernetes-namespace>.es.local.account"
- This entry identifies your ECH deployment. Leave it unchanged.
- This entry identifies your ECK deployment incorrectly, and must be updated.
For an ECK cluster named quickstart
in the default
namespace, the updated file should look like the following:
trust.subject_name: - "*.node.2dc556bb4bd040e89d0135683b66a2f6.cluster.1075708151.account" - "*.node.quickstart.default.es.local"
Apply the changes and save the trust.yml
file.
To configure trust in the ECK deployment:
In the same namespace as your Elasticsearch cluster, upload the ECH CA certificate that you downloaded from the Cloud UI as a Kubernetes secret:
kubectl create secret generic remote-ech-ca --from-file=ca.crt=<path-to-CA-certificate-file> -n <namespace>
In the same namespace as your Elasticsearch cluster, upload the updated
trust.yml
file as a Kubernetes config map. For a cluster namedquickstart
, run the following command:kubectl create configmap quickstart-trust-ech --from-file=trust.yml=<path-to-trust.yml> -n <namespace>
Edit the Elasticsearch Kubernetes resource to reference the ECH CA certificate and trust.yml file. This example assumes that the Kubernetes secret and config map created in the previous steps are named
remote-ech-ca
andquickstart-trust-ech
, respectively:NoteApply these changes to all
nodeSets
of your cluster. Updating this configuration will restart all Elasticsearch pods, which might take some time to complete.spec: nodeSets: - config: xpack.security.transport.ssl.certificate_authorities: - /usr/share/elasticsearch/config/ech-ca/ca.crt xpack.security.transport.ssl.trust_restrictions.path: /usr/share/elasticsearch/config/trust-filter/trust.yml podTemplate: spec: containers: - name: elasticsearch volumeMounts: - mountPath: /usr/share/elasticsearch/config/ech-ca name: remote-ech-ca - mountPath: /usr/share/elasticsearch/config/trust-filter name: eck-ech-trust volumes: - name: remote-ech-ca secret: secretName: remote-ech-ca - name: eck-ech-trust configMap: name: quickstart-trust-ech
- Ensure
secretName
matches the name of the Secret you created earlier. - Ensure
name
matches the name of the ConfigMap you created earlier.
- Ensure
Now that trust has been established, you can set up CCS/R from the ECK cluster to the ECH cluster or from the ECH cluster to the ECK cluster.
Configure the ECH deployment as a remote on your ECK cluster following Access clusters of a self-managed environment > Connect to the remote cluster steps.
Follow the steps outlined in the ECK documentation to expose the transport layer of your ECK cluster, and configure the ECK cluster as a remote of your ECH deployment.