Transport settings

edit

The transport module in Elasticsearch is used for internal communication between nodes within the cluster as well as communication between remote clusters. Check the Elasticsearch documentation for details. For customization options of the HTTP layer, check Services and TLS certificates.

Customize the Transport Service

edit

In the spec.transport.service. section, you can change the Kubernetes service used to expose the Elasticsearch transport module:

spec:
  transport:
    service:
      metadata:
        labels:
          my-custom: label
      spec:
        type: LoadBalancer

Check the Kubernetes Publishing Services (ServiceTypes) that are currently available.

When you change the clusterIP setting of the service, ECK deletes and re-creates the service, as clusterIP is an immutable field. This will cause a short network disruption, but in most cases it should not affect existing connections as the transport module uses long-lived TCP connections.

Configure a custom Certificate Authority

edit

Elasticsearch uses X.509 certificates to establish encrypted and authenticated connections across nodes in the cluster. By default, ECK creates a self-signed CA certificate to issue a certificate for each node in the cluster.

You can use a Kubernetes secret to provide your own CA instead of the self-signed certificate that ECK will then use to create node certificates for transport connections. The CA certificate must be stored in the secret under ca.crt and the private key must be stored under ca.key.

You need to reference the name of a secret that contains the TLS private key and the CA certificate, in the spec.transport.tls.certificate section, as shown in this example:

spec:
  transport:
    tls:
      certificate:
        secretName: custom-ca

Customize the node transport certificates

edit

The operator generates a self-signed TLS certificates for each node in the cluster. You can add extra IP addresses or DNS names to the generated certificates as follows:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 8.17.0
  transport:
    tls:
      subjectAltNames:
      - ip: 1.2.3.4
      - dns: hulk.example.com
  nodeSets:
  - name: default
    count: 3