Rotate auto-generated credentials

edit

When deploying an Elastic Stack application, the operator generates a set of credentials essential for the operation of that application. For example, these generated credentials include the default elastic user for Elasticsearch and the security token for APM Server.

To list all auto-generated credentials in a namespace, run the following command:

kubectl get secret -l eck.k8s.elastic.co/credentials=true

You can force the auto-generated credentials to be regenerated with new values by deleting the appropriate Secret. For example, to change the password for the elastic user from the quickstart example, use the following command:

kubectl delete secret quickstart-es-elastic-user

If you are using the elastic user credentials in your own applications, they will fail to connect to Elasticsearch and Kibana after you run this command. It is not recommended to use elastic user credentials for production use cases. Always create your own users with restricted roles to access Elasticsearch.

To regenerate all auto-generated credentials in a namespace, run the following command:

kubectl delete secret -l eck.k8s.elastic.co/credentials=true

This command regenerates auto-generated credentials of all Elastic Stack applications in the namespace.