[Internal]: Inaccurate information in ECK documentation #2479
Description
Description
This page https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/file-based#k8s-basic
That intents to address issues in ECK clusters when the security index is gone (it says: For example in cases where the cluster is unresponsive or the security index is unavailable)
Gives us this example for creating a new user and role:
apiVersion: v1
kind: Secret
metadata:
name: secret-basic-auth
type: kubernetes.io/basic-auth
stringData:
username: rdeniro # required field for kubernetes.io/basic-auth
password: mypassword # required field for kubernetes.io/basic-auth
roles: kibana_admin,ingest_admin # optional, not part of kubernetes.io/basic-auth
It lists roles inside the auth secret and lists only the auth secret in the manifest:
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: elasticsearch-sample
spec:
version: 8.16.1
auth:
fileRealm:
- secretName: secret-basic-auth
nodeSets:
- name: default
count: 1
However, this doesn't work (only if those roles already exists in the cluster, but we are talking about when the security index is gone just like this page description mentions).
The correct example should include the secret for user and role creation:
apiVersion: v1
kind: Secret
metadata:
name: secret-basic-auth
type: kubernetes.io/basic-auth
stringData:
username: my_admin
password: my_password
roles: new_role
apiVersion: v1
kind: Secret
metadata:
name: my-roles-secret
stringData:
roles.yml: |-
new_role:
cluster:
- all
indices:
- names: [ '*' ]
privileges: [ 'all' ]
allow_restricted_indices: true
and the correct Elasticsearch manifest should include:
auth:
fileRealm:
- secretName: secret-basic-auth
roles:
- secretName: my-roles-secret
Which documentation set does this change impact?
Elastic On-Prem only
Feature differences
What release is this request related to?
N/A
Serverless release
Collaboration model
The documentation team