ECH/ECK remote clusters doc is incorrect for trust.yml #1647
Conversation
eedugon
changed the title
There was a problem hiding this comment.
I think it is confusing to let the customer to enter a value, <kubernetes-namespace>.es.local, and have it corrected afterwards (because of the issue with the wizard) in the trust.yml file with another value *.node.<cluster-name>.<kubernetes-namespace>.es.local, rather than:
- not selecting
trust clusters whose CN follow the Elastic patternso that no misleading value is added to thetrust.ymlfile, - later on, after downloading the
trust.ymlfile, add the definitive correct value (*.node.<cluster-name>.<kubernetes-namespace>.es.local).
Both solutions are ok that said. The proposed solution has the advantage to be easier to amend once the wizard has been fix
|
@jeanfabrice , thanks! I think your proposal would simplify the process also, so let me apply a few changes and share them with you. Update: I have a concern of your proposal:
But what about @naemono , would you please help us to determine if that part of the section can be left empty or if it's better to provide a cc: @pebrc |
|
@jeanfabrice : As mentioned in private, your proposal won't work, as ECH needs the So I'm leaving the procedure as it is, as I have fully tested it a few times and remote cluster functionality works fine in both directions. In summary: The select trusted clusters section cannot be left empty |
|
🔍 Preview links for changed docs: 🔔 The preview site may take up to 3 minutes to finish building. These links will become live once it completes. |
eedugon
added
bug
|
@shainaraskas : I'm pinging you for reviewing. Nothing urgent. This PR fixes a bug that we had in the original procedure. Anyway we should soon add to this document the procedure using API Keys for this use case (as that's feasible now but still not documented). But that should be done at a later stage. @pebrc : Feel free to give your thoughts, the procedure has been tested using the exact yamls provided in the doc and all works fine. |
| @@ -12,84 +12,137 @@ products: | |||
|
|
|||
| # Remote clusters between {{ech}} and ECK [ec-enable-ccs-for-eck] | |||
|
|
|||
| These steps describe how to configure remote clusters between an {{es}} cluster in {{ech}} and an {{es}} cluster running within [{{eck}} (ECK)](/deploy-manage/deploy/cloud-on-k8s.md). Once that’s done, you’ll be able to [run CCS queries from {{es}}](/solutions/search/cross-cluster-search.md) or [set up CCR](/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md). | |||
| These steps describe how to configure remote clusters between an {{es}} cluster in {{ech}} (ECH) and an {{es}} cluster running within [{{eck}} (ECK)](/deploy-manage/deploy/cloud-on-k8s.md). Once that’s done, you’ll be able to [run CCS queries from {{es}}](/solutions/search/cross-cluster-search.md) or [set up CCR](/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md). | |||
|
|
|||
|
|
|||
| ## Establish trust between two clusters [ec_establish_trust_between_two_clusters] | |||
There was a problem hiding this comment.
| ## Establish trust between two clusters [ec_establish_trust_between_two_clusters] | |
| ## Establish trust between the two clusters [ec_establish_trust_between_two_clusters] |
|
|
||
| 2. Select `Save` and then download the CA Certificate and `trust.yml` file. These files can also be retrieved in the `Security` page of the deployment. You will use these files in the next set of steps. | ||
| 2. Select **Certificates** as authentication mechanism and click **Next**. |
There was a problem hiding this comment.
| 2. Select **Certificates** as authentication mechanism and click **Next**. | |
| 2. Select **Certificates** as the authentication mechanism and click **Next**. |
|
|
||
| ### Establish trust in the {{ech}} cluster [ec_establish_trust_in_the_elasticsearch_service_cluster] | ||
| ### Establish trust in the ECH cluster [ec_establish_trust_in_the_elasticsearch_service_cluster] |
There was a problem hiding this comment.
nitpick: an intro sentence before a procedure is nice
| Replace the line corresponding to the `Scope ID` you entered when configuring trust in the ECH deployment: | ||
|
|
||
| ```sh | ||
| "*.node.*.cluster.<kubernetes-namespace>.es.local.account" | ||
| ``` | ||
|
|
||
| with the correct subject name for your ECK cluster, using the following pattern: | ||
|
|
||
| ```sh | ||
| "*.node.<cluster-name>.<kubernetes-namespace>.es.local" | ||
| ``` |
There was a problem hiding this comment.
avoid sentence fragments like this
| Replace the line corresponding to the `Scope ID` you entered when configuring trust in the ECH deployment: | |
| ```sh | |
| "*.node.*.cluster.<kubernetes-namespace>.es.local.account" | |
| ``` | |
| with the correct subject name for your ECK cluster, using the following pattern: | |
| ```sh | |
| "*.node.<cluster-name>.<kubernetes-namespace>.es.local" | |
| ``` | |
| Replace the line corresponding to the `Scope ID` you entered when configuring trust in the ECH deployment: | |
| ```sh | |
| "*.node.*.cluster.<kubernetes-namespace>.es.local.account" | |
| ``` | |
| Replace it with the correct subject name for your ECK cluster. The new subject name should use the following pattern: | |
| ```sh | |
| "*.node.<cluster-name>.<kubernetes-namespace>.es.local" | |
| ``` |
| ``` | ||
|
|
||
| ::::{important} | ||
| If you don’t update this entry, {{es}} nodes of your ECK deployment may fail to start or join the cluster due to failed trust validation. |
There was a problem hiding this comment.
| If you don’t update this entry, {{es}} nodes of your ECK deployment may fail to start or join the cluster due to failed trust validation. | |
| If you don’t update this entry, {{es}} nodes of your ECK deployment might fail to start or join the cluster due to failed trust validation. |
| If you don’t update this entry, {{es}} nodes of your ECK deployment may fail to start or join the cluster due to failed trust validation. | ||
| :::: | ||
|
|
||
| For example, the original downloaded file might contain: |
There was a problem hiding this comment.
| For example, the original downloaded file might contain: | |
| For example, the original downloaded file might contain the following: |
| 1. This entry identifies your ECH deployment. Leave it unchanged. | ||
| 2. This entry identifies your ECK deployment incorrectly, and must be updated. | ||
|
|
||
| For an ECK cluster named `quickstart` in the `default` namespace, the updated file should look like: |
There was a problem hiding this comment.
| For an ECK cluster named `quickstart` in the `default` namespace, the updated file should look like: | |
| For an ECK cluster named `quickstart` in the `default` namespace, the updated file should look like the following: |
| ``` | ||
|
|
||
| 2. Upload the `trust.yml` file (that you downloaded in the last step of the previous section) as a Kubernetes config map. | ||
| 3. In the same namespace as your {{es}} cluster, upload the updated `trust.yml` file as a Kubernetes ConfigMap. For a cluster named `quickstart`, run: |
There was a problem hiding this comment.
| 3. In the same namespace as your {{es}} cluster, upload the updated `trust.yml` file as a Kubernetes ConfigMap. For a cluster named `quickstart`, run: | |
| 3. In the same namespace as your {{es}} cluster, upload the updated `trust.yml` file as a Kubernetes ConfigMap. For a cluster named `quickstart`, run the following command: |
| ``` | ||
|
|
||
| 3. Edit the {{es}} kubernetes resource to ensure the following sections are included. This assumes the {{es}} deployment is named `quickstart`. Make sure to replace the `CA-Certificate-Filename` placeholder with the correct value. Note that these configuration changes are required for all `nodeSets`. Applying this change requires all pods in all `nodeSets` to be deleted and recreated, which might take quite a while to complete. | ||
| 4. Edit the {{es}} Kubernetes resource to include the following configuration. This example assumes that the Kubernetes secret and config map created in the previous steps are named `remote-ech-ca` and `quickstart-trust-ech`, respectively: |
There was a problem hiding this comment.
| 4. Edit the {{es}} Kubernetes resource to include the following configuration. This example assumes that the Kubernetes secret and config map created in the previous steps are named `remote-ech-ca` and `quickstart-trust-ech`, respectively: | |
| 4. Edit the {{es}} Kubernetes resource to reference the new certificate and trust.yml file. This example assumes that the Kubernetes secret and ConfigMap created in the previous steps are named `remote-ech-ca` and `quickstart-trust-ech`, respectively: |
| 4. Edit the {{es}} Kubernetes resource to include the following configuration. This example assumes that the Kubernetes secret and config map created in the previous steps are named `remote-ech-ca` and `quickstart-trust-ech`, respectively: | ||
|
|
||
| ::::{note} | ||
| Apply these changes to all `nodeSets` of your cluster. Updating this configuration will restart all {{es}} pods, which may take some time to complete. |
There was a problem hiding this comment.
| Apply these changes to all `nodeSets` of your cluster. Updating this configuration will restart all {{es}} pods, which may take some time to complete. | |
| Apply these changes to all `nodeSets` of your cluster. Updating this configuration will restart all {{es}} pods, which might take some time to complete. |
Preview:
Summary of changes:
Fixes #1378
Relates to private cloud issue https://github.com/elastic/cloud/issues/141360
Closes #1378