Configure ECK
editConfigure ECK
editECK can be configured using either command line flags or environment variables.
Flag | Default | Description |
---|---|---|
|
|
Duration representing how long before expiration CA certificates should be re-issued. |
|
|
Duration representing the validity period of a generated CA certificate. |
|
|
Path to a directory containing a CA certificate (tls.crt) and its associated private key (tls.key) to be used for all managed resources. Effectively disables the CA rotation and validity options. |
|
|
Duration representing how long before expiration TLS certificates should be re-issued. |
|
|
Duration representing the validity period of a generated TLS certificate. |
|
|
Path to a file containing the operator configuration. |
|
|
Container registry to use for pulling Elastic Stack container images. |
|
|
Container repository to use for pulling Elastic Stack container images. |
|
|
Suffix to be appended to container images by default. Cannot be combined with |
|
|
Watch the configuration file for changes and restart to apply them. Only effective when the |
|
|
Disable periodically updating ECK telemetry data for Kibana to consume. |
|
|
Default timeout for requests made by the Elasticsearch client. |
|
|
Enable leader election. Must be set to true if using multiple replicas of the operator |
|
|
Enable APM tracing in the operator process. Use environment variables to configure APM server URL, credentials, and so on. Check Apm Go Agent reference for details. |
|
|
Enables a validating webhook server in the operator process. |
|
|
Enables restrictions on cross-namespace resource association through RBAC. |
|
|
List of Kubernetes node labels which are allowed to be copied as annotations on the Elasticsearch Pods. Check Topology spread constraints and availability zone awareness for more details. |
|
|
Set the IP family to use. Possible values: IPv4, IPv6, "" (= auto-detect) |
|
|
Set the maximum number of queries per second to the Kubernetes API. Default value is inherited from the Go client. |
|
|
Set the request timeout for Kubernetes API calls made by the operator. |
|
|
Verbosity level of logs. |
|
|
Enables automatic webhook certificate management. |
|
|
Maximum number of concurrent reconciles per controller (Elasticsearch, Kibana, APM Server). Affects the ability of the operator to process changes concurrently. |
|
|
Location of TLS certs for the metrics server. Directory needs to contain tls.key and tls.crt. If empty self-signed certificates are used. Only effective when combined with metrics-port and metrics-secure. |
|
|
The host to which the operator should bind to serve metrics in the Prometheus format. Will be combined with metrics-port. |
|
|
Prometheus metrics port. Set to 0 to disable the metrics endpoint. |
|
|
Enables TLS for the metrics server. Only effective combined with metrics-port. |
|
|
Namespaces in which this operator should manage resources. Accepts multiple comma-separated values. Defaults to all namespaces if empty or unspecified. |
|
|
Namespace the operator runs in. Required. |
|
|
Sets the size of the password hash cache. Caching is disabled if explicitly set to 0 or any negative value. |
|
|
Enables adding a default Pod Security Context to Elasticsearch Pods in Elasticsearch |
|
|
Use only UBI container images to deploy Elastic Stack applications. UBI images are only available from 7.10.0 onward. Cannot be combined with |
|
|
Specifies whether the operator should retrieve storage classes to verify volume expansion support. Can be disabled if cluster-wide storage class RBAC access is not available. |
|
|
Path to the directory that contains the webhook server key and certificate. |
|
|
Name of the Kubernetes ValidatingWebhookConfiguration resource. Only used when |
|
|
K8s secret mounted into the path designated by webhook-cert-dir to be used for webhook certificates. |
|
|
Port to listen for incoming validation requests. |
Unless noted otherwise, environment variables can be used instead of flags to configure the operator as well. Simply convert the flag name to upper case and replace any dashes (-
) with underscores (_
). For example, the log-verbosity
flag can be set by an environment variable named LOG_VERBOSITY
.
Duration values should be specified as numeric values suffixed by the time unit. For example, a duration of 10 hours should be specified as 10h
. Acceptable time unit suffixes are:
Suffix | Unit |
---|---|
|
Milliseconds |
|
Seconds |
|
Minutes |
|
Hours |
If you have a large number of configuration options to specify, use the --config
flag to point to a file containing those options. For example, assume you have a file named eck-config.yaml
with the following content:
eck-config.yaml.
log-verbosity: 2 metrics-port: 6060 namespaces: [ns1, ns2, ns3]
The operator can be started using any of the following methods to achieve the same end result:
Configuration file method.
./elastic-operator manager --config=eck-config.yaml
Command-line flags method.
./elastic-operator manager --log-verbosity=2 --metrics-port=6060 --namespaces=ns1,ns2,ns3
Environment variables method.
LOG_VERBOSITY=2 METRICS_PORT=6060 NAMESPACES="ns1,ns2,ns3" ./elastic-operator manager
If you use a combination of all or some of the these methods, the descending order of precedence in case of a conflict is as follows:
- Flag
- Environment variable
- File
You can edit the elastic-operator
ConfigMap to change the operator configuration. Unless the --disable-config-watch
flag is set, the operator should restart automatically to apply the new changes. Alternatively, you can edit the elastic-operator
StatefulSet and add flags to the args
section — which will trigger an automatic restart of the operator pod by the StatefulSet controller.
Configure ECK under Operator Lifecycle Manager
editIf you use Operator Lifecycle Manager (OLM) to install and run ECK, follow these steps to configure the operator:
-
Create a new ConfigMap in the same namespace as the operator. It should contain a key named
eck.yaml
pointing to the desired configuration values.apiVersion: v1 kind: ConfigMap metadata: name: elastic-operator namespace: openshift-operators data: eck.yaml: |- log-verbosity: 0 metrics-port: 6060 container-registry: docker.elastic.co max-concurrent-reconciles: 3 ca-cert-validity: 8760h ca-cert-rotate-before: 24h cert-validity: 8760h cert-rotate-before: 24h
-
Update your Subscription to mount the ConfigMap under
/conf
.apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: elastic-cloud-eck namespace: openshift-operators spec: channel: stable installPlanApproval: Automatic name: elastic-cloud-eck source: elastic-operators sourceNamespace: openshift-marketplace startingCSV: elastic-cloud-eck.v2.16.0 config: volumes: - name: config configMap: name: elastic-operator volumeMounts: - name: config mountPath: /conf readOnly: true