Configure ECK

edit

ECK can be configured using either command line flags or environment variables.

Flag Default Description

ca-cert-rotate-before

24h

Duration representing how long before expiration CA certificates should be re-issued.

ca-cert-validity

8760h

Duration representing the validity period of a generated CA certificate.

ca-dir

""

Path to a directory containing a CA certificate (tls.crt) and its associated private key (tls.key) to be used for all managed resources. Effectively disables the CA rotation and validity options.

cert-rotate-before

24h

Duration representing how long before expiration TLS certificates should be re-issued.

cert-validity

8760h

Duration representing the validity period of a generated TLS certificate.

config

""

Path to a file containing the operator configuration.

container-registry

docker.elastic.co

Container registry to use for pulling Elastic Stack container images.

container-repository

""

Container repository to use for pulling Elastic Stack container images.

container-suffix

""

Suffix to be appended to container images by default. Cannot be combined with --ubi-only flag.

disable-config-watch

false

Watch the configuration file for changes and restart to apply them. Only effective when the --config flag is used to set the configuration file.

disable-telemetry

false

Disable periodically updating ECK telemetry data for Kibana to consume.

elasticsearch-client-timeout

180s

Default timeout for requests made by the Elasticsearch client.

enable-leader-election

true

Enable leader election. Must be set to true if using multiple replicas of the operator

enable-tracing

false

Enable APM tracing in the operator process. Use environment variables to configure APM server URL, credentials, and so on. Check Apm Go Agent reference for details.

enable-webhook

false

Enables a validating webhook server in the operator process.

enforce-rbac-on-refs

false

Enables restrictions on cross-namespace resource association through RBAC.

exposed-node-labels

""

List of Kubernetes node labels which are allowed to be copied as annotations on the Elasticsearch Pods. Check Topology spread constraints and availability zone awareness for more details.

ip-family

""

Set the IP family to use. Possible values: IPv4, IPv6, "" (= auto-detect)

kube-client-qps

0

Set the maximum number of queries per second to the Kubernetes API. Default value is inherited from the Go client.

kube-client-timeout

60s

Set the request timeout for Kubernetes API calls made by the operator.

log-verbosity

0

Verbosity level of logs. -2=Error, -1=Warn, 0=Info, 0 and above=Debug.

manage-webhook-certs

true

Enables automatic webhook certificate management.

max-concurrent-reconciles

3

Maximum number of concurrent reconciles per controller (Elasticsearch, Kibana, APM Server). Affects the ability of the operator to process changes concurrently.

metrics-cert-dir

"{TempDir}/k8s-metrics-server/serving-certs"

Location of TLS certs for the metrics server. Directory needs to contain tls.key and tls.crt. If empty self-signed certificates are used. Only effective when combined with metrics-port and metrics-secure.

metrics-host

0.0.0.0

The host to which the operator should bind to serve metrics in the Prometheus format. Will be combined with metrics-port.

metrics-port

0

Prometheus metrics port. Set to 0 to disable the metrics endpoint.

metrics-secure

false

Enables TLS for the metrics server. Only effective combined with metrics-port.

namespaces

""

Namespaces in which this operator should manage resources. Accepts multiple comma-separated values. Defaults to all namespaces if empty or unspecified.

operator-namespace

""

Namespace the operator runs in. Required.

password-hash-cache-size

5 x max-concurrent-reconciles

Sets the size of the password hash cache. Caching is disabled if explicitly set to 0 or any negative value.

set-default-security-context

auto-detect

Enables adding a default Pod Security Context to Elasticsearch Pods in Elasticsearch 8.0.0 and later. fsGroup is set to 1000 by default to match Elasticsearch container default UID. This behavior might not be appropriate for OpenShift and PSP-secured Kubernetes clusters, so it can be disabled.

ubi-only

false

Use only UBI container images to deploy Elastic Stack applications. UBI images are only available from 7.10.0 onward. Cannot be combined with --container-suffix flag.

validate-storage-class

true

Specifies whether the operator should retrieve storage classes to verify volume expansion support. Can be disabled if cluster-wide storage class RBAC access is not available.

webhook-cert-dir

"{TempDir}/k8s-webhook-server/serving-certs"

Path to the directory that contains the webhook server key and certificate.

webhook-name

"elastic-webhook.k8s.elastic.co"

Name of the Kubernetes ValidatingWebhookConfiguration resource. Only used when enable-webhook is true.

webhook-secret

""

K8s secret mounted into the path designated by webhook-cert-dir to be used for webhook certificates.

webhook-port

9443

Port to listen for incoming validation requests.

Unless noted otherwise, environment variables can be used instead of flags to configure the operator as well. Simply convert the flag name to upper case and replace any dashes (-) with underscores (_). For example, the log-verbosity flag can be set by an environment variable named LOG_VERBOSITY.

Duration values should be specified as numeric values suffixed by the time unit. For example, a duration of 10 hours should be specified as 10h. Acceptable time unit suffixes are:

Suffix Unit

ms

Milliseconds

s

Seconds

m

Minutes

h

Hours

If you have a large number of configuration options to specify, use the --config flag to point to a file containing those options. For example, assume you have a file named eck-config.yaml with the following content:

eck-config.yaml.

log-verbosity: 2
metrics-port: 6060
namespaces: [ns1, ns2, ns3]

The operator can be started using any of the following methods to achieve the same end result:

Configuration file method.

./elastic-operator manager --config=eck-config.yaml

Command-line flags method.

./elastic-operator manager --log-verbosity=2 --metrics-port=6060 --namespaces=ns1,ns2,ns3

Environment variables method.

LOG_VERBOSITY=2 METRICS_PORT=6060 NAMESPACES="ns1,ns2,ns3" ./elastic-operator manager

If you use a combination of all or some of the these methods, the descending order of precedence in case of a conflict is as follows:

  • Flag
  • Environment variable
  • File

You can edit the elastic-operator ConfigMap to change the operator configuration. Unless the --disable-config-watch flag is set, the operator should restart automatically to apply the new changes. Alternatively, you can edit the elastic-operator StatefulSet and add flags to the args section — which will trigger an automatic restart of the operator pod by the StatefulSet controller.

Configure ECK under Operator Lifecycle Manager

edit

If you use Operator Lifecycle Manager (OLM) to install and run ECK, follow these steps to configure the operator:

  • Create a new ConfigMap in the same namespace as the operator. It should contain a key named eck.yaml pointing to the desired configuration values.

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: elastic-operator
      namespace: openshift-operators
    data:
      eck.yaml: |-
        log-verbosity: 0
        metrics-port: 6060
        container-registry: docker.elastic.co
        max-concurrent-reconciles: 3
        ca-cert-validity: 8760h
        ca-cert-rotate-before: 24h
        cert-validity: 8760h
        cert-rotate-before: 24h
  • Update your Subscription to mount the ConfigMap under /conf.

    apiVersion: operators.coreos.com/v1alpha1
    kind: Subscription
    metadata:
      name: elastic-cloud-eck
      namespace: openshift-operators
    spec:
      channel: stable
      installPlanApproval: Automatic
      name: elastic-cloud-eck
      source: elastic-operators
      sourceNamespace: openshift-marketplace
      startingCSV: elastic-cloud-eck.v2.16.0
      config:
        volumes:
          - name: config
            configMap:
              name: elastic-operator
        volumeMounts:
          - name: config
            mountPath: /conf
            readOnly: true