A newer version is available. For the latest information, see the
current release documentation.
Configure validating webhook
editConfigure validating webhook
editA validating webhook provides additional validation of Elasticsearch resources: it provides immediate feedback on the Elasticsearch manifests you submit, allowing you to catch errors right away before ECK even tries to fulfill your request.
Architecture
editThe webhook is composed of 4 main components. Here is a brief description of each of them to understand how they interact, their naming, and how they are managed.
-
A
ValidatingWebhookConfiguration
object that defines the validating webhook, targeting the right webhook path and resource. It must be created before starting the operator. ThecaBundle
field can be automatically managed as part of the automatic certificate management (see below). -
A Kubernetes Service is used to expose the validating server, named
elastic-webhook-server
. It is in the same Namespace as the webhook server. -
A webhook server that actually validates the submitted resources. In ECK it is the operator itself when it is configured with the
webhook
enabled. See Configuring ECK for more information about theenable-webhook
flag. -
A Secret containing the required certificates to secure the connection between the API server and the webhook server.
Like the ValidatingWebhookConfiguration, it must be created before starting the operator, even if it is empty. By default its name is
elastic-webhook-server-cert
. The content of this Secret and the lifecycle of the certificates are automatically managed for you. ECK generates a dedicated and separate certificate authority and ensures that all components are rotated before the expiration date. The certificate authority is also used to configure thecaBundle
field of theValidatingWebhookConfiguration
. You can disable this feature if you want to manage the certificates yourself or with cert-manager. See this example.