A newer version is available. For the latest information, see the
current release documentation.
Manage the webhook certificate with cert-manager
editManage the webhook certificate with cert-manager
editIf ECK is currently running, first make sure that the automatic certificate management feature is disabled. To do this, add the --manage-webhook-certs=false
flag to the operator deployment manifest.
Then, install cert-manager v0.11+ as described in the cert-manager documentation.
This example shows how to create all the resources that a webhook requires to function.
cat <<EOF | kubectl apply -f - --- # this configures # - a self signed cert-manager issuer # - a service to point to the webhook # - a self signed certificate for the webhook service # - a validating webhook configuration apiVersion: cert-manager.io/v1alpha2 kind: Issuer metadata: name: selfsigned-issuer namespace: elastic-system spec: selfSigned: {} --- apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: elastic-webhook namespace: elastic-system spec: commonName: elastic-webhook.elastic-system.svc dnsNames: - elastic-webhook.elastic-system.svc.cluster.local - elastic-webhook.elastic-system.svc issuerRef: kind: Issuer name: selfsigned-issuer secretName: elastic-webhook-server-cert --- apiVersion: v1 kind: Service metadata: name: elastic-webhook-server namespace: elastic-system spec: ports: - port: 443 protocol: TCP targetPort: 9443 name: https-webhook selector: control-plane: elastic-operator sessionAffinity: None type: ClusterIP --- apiVersion: admissionregistration.k8s.io/v1beta1 kind: ValidatingWebhookConfiguration metadata: name: elastic-webhook.k8s.elastic.co annotations: cert-manager.io/inject-ca-from: elastic-system/elastic-webhook webhooks: - clientConfig: caBundle: Cg== service: name: elastic-webhook namespace: elastic-system # this is the path controller-runtime automatically generates path: /validate-elasticsearch-k8s-elastic-co-v1-elasticsearch failurePolicy: Ignore name: elastic-es-validation-v1.k8s.elastic.co sideEffects: None rules: - apiGroups: - elasticsearch.k8s.elastic.co apiVersions: - v1 operations: - CREATE - UPDATE resources: - elasticsearches EOF
This example assumes that you have installed the operator in the elastic-system
namespace.