A newer version is available. For the latest information, see the
current release documentation.
Manage the webhook certificate with cert-manager
editManage the webhook certificate with cert-manager
editIf ECK is currently running you first must ensure that the automatic certificate management feature is disabled. This can be done by updating the operator deployment manifest and adding the --manage-webhook-certs=false
flag.
Then, cert-manager v0.11+ must be installed as described in the cert-manager documentation.
The following example shows how to create all the resources that a webhook requires to function.
cat <<EOF | kubectl apply -f - --- # this configures # - a self signed cert-manager issuer # - a service to point to the webhook # - a self signed certificate for the webhook service # - a validating webhook configuration apiVersion: cert-manager.io/v1alpha2 kind: Issuer metadata: name: selfsigned-issuer namespace: elastic-system spec: selfSigned: {} --- apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: elastic-webhook namespace: elastic-system spec: commonName: elastic-webhook.elastic-system.svc dnsNames: - elastic-webhook.elastic-system.svc.cluster.local - elastic-webhook.elastic-system.svc issuerRef: kind: Issuer name: selfsigned-issuer secretName: elastic-webhook-server-cert --- apiVersion: v1 kind: Service metadata: name: elastic-webhook-server namespace: elastic-system spec: ports: - port: 443 protocol: TCP targetPort: 9443 selector: control-plane: elastic-operator sessionAffinity: None type: ClusterIP --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: elastic-webhook.k8s.elastic.co annotations: cert-manager.io/inject-ca-from: elastic-system/elastic-webhook webhooks: - clientConfig: caBundle: Cg== service: name: elastic-webhook namespace: elastic-system # this is the path controller-runtime automatically generates path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch failurePolicy: Ignore name: elastic-es-validation-v1.k8s.elastic.co sideEffects: None rules: - apiGroups: - elasticsearch.k8s.elastic.co apiVersions: - v1 operations: - CREATE - UPDATE resources: - elasticsearches EOF
This example assumes that you have installed the operator in the elastic-system
namespace.