Tech Insights & Blogs by Rahul Ranjan

,

Cross Cluster Search/Cross Cluster Replication between Elasticsearch Service (ESS) and ECK

This article covers step-by-step configuration of enabling CCR between ESS(Cloud) and ECK. ESS will act as the remote cluster. Set up an ECK Cluster. Once the ECK cluster is configured, enable the enterprise trial license to enable Cross-cluster replication functionality. After enabling the license, verify that the CrossCluster Replication tab is available under the data…

Rahul Ranjan
2–3 minutes
, , , ,

This article covers step-by-step configuration of enabling CCR between ESS(Cloud) and ECK. ESS will act as the remote cluster.

  1. Set up an ECK Cluster.
  2. Once the ECK cluster is configured, enable the enterprise trial license to enable Cross-cluster replication functionality. After enabling the license, verify that the CrossCluster Replication tab is available under the data section of stack management.

To enable a trial license use the below yaml as reference.

apiVersion: v1
kind: Secret
metadata:
  name: eck-trial-license
  namespace: elastic-system
  labels:
    license.k8s.elastic.co/type: enterprise_trial
  annotations:
    elastic.co/eula: accepted

3. Set up an ESS cluster in the elastic cloud.

4.Establish trust between two clusters(This needs to be done for both cluster)
 First, we need to establish trust in the Elasticsearch Service cluster.

  • Save the ECK CA certificate to a file. For a cluster named quickstart, run the below command on the ECK cluster where eck.ca.crt is the generated cert to be uploaded in ESS cloud cluster later.
  • kubectl get secret quickstart-es-transport-certs-public -o go-template='{{index .data "ca.crt" | base64decode}}' > eck.ca.crt

Update the trust settings for the ESS cloud cluster

  • Use the certificate file saved in the first step. Login to ESS cloud admin console and navigate to the security section, scroll down and click on Add Trusted Environment. Select the self-managed option and then Certificates on the next page. Upload the cert (eck.ca.crt) generated in the previous step. Select Trust clusters whose Common Name follows the Elastic pattern(below) and then name the environment.
    -Select the Elastic Cloud pattern and enter default.es.local for the Scope ID.
    -Select Save and then download the CA Certificate and trust.yml file. These files can also be retrieved from the Security page of the deployment. You will use these files in the next set of steps.

5. Establish trust in the ECK cluster

  • Upload the Elasticsearch Service certificate (that you downloaded in the last step of the previous section) as a Kubernetes secret.

kubectl create secret generic ce-aws-cert --from-file=<path to certificate file>

  • Upload the trust.yml file (that you downloaded in the last step of the previous section) as a Kubernetes config map.

kubectl create configmap quickstart-trust --from-file=<path to trust.yml>

  • Edit the Elasticsearch kubernetes resource to ensure the following sections are included. This assumes the Elasticsearch deployment is named quickstart. Make sure to replace the downloaded cert with the correct value. Note that these configuration changes are required for all node sets.
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 8.12.1
  nodeSets:
  - name: default
    count: 1
    config:
      node.store.allow_mmap: false
      xpack.security.transport.ssl.certificate_authorities:
       - /usr/share/elasticsearch/config/other/downloaded.crt
      xpack.security.transport.ssl.trust_restrictions.path:  /usr/share/elasticsearch/config/trust-filter/trust.yml
    podTemplate:
      spec:
        containers:
        - name: elasticsearch
          volumeMounts:
          - mountPath: /usr/share/elasticsearch/config/other
            name: ce-aws-cert
          - mountPath: /usr/share/elasticsearch/config/trust-filter
            name: quickstart-trust
        volumes:
        - name: ce-aws-cert
          secret:
            secretName: ce-aws-cert
        - name: quickstart-trust
          configMap:
            name: quickstart-trust
  • Verify that the above changes are applied successfully and all the pods are running without any issues.
  • Add remote cluster (ESS in this case) either from Kibana UI of local ECK cluster (Stack Management > Data > Remote Clusters > Add a remote cluster) or via Elasticsearch API using Dev Tools in local ECK cluster. You need to fetch proxy_address and server_name from the security section of the ESS cloud console.
PUT /_cluster/settings
{
  "persistent": {
    "cluster": {
      "remote": {
        "remote-cluster": {
          "mode":"proxy",
          "proxy_address": "url:9400",     
          "server_name": "url"
        }
      }
    }
  }
}

Once the remote cluster is configured, validate from kibana UI that the remote cluster is connected or use GET /_remote/info to get connection status.

Configure Leader and Follower indices

Do reach out for any clarification.

Discover more from Tech Insights & Blogs by Rahul Ranjan

Subscribe to get the latest posts sent to your email.

Leave a comment

Trending