diff --git a/deploy-manage/deploy/cloud-on-k8s/configure-eck.md b/deploy-manage/deploy/cloud-on-k8s/configure-eck.md index 455b74c70c..c6a41939d1 100644 --- a/deploy-manage/deploy/cloud-on-k8s/configure-eck.md +++ b/deploy-manage/deploy/cloud-on-k8s/configure-eck.md @@ -97,6 +97,7 @@ data: enable-leader-election: true elasticsearch-observation-interval: 10s ubi-only: false + password-length: 24 ``` Alternatively, you can edit the `elastic-operator` StatefulSet and add flags to the `args` section of the operator container — which will trigger an automatic restart of the operator pod by the StatefulSet controller. diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md index a43aa6b69d..92033d8c6e 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md @@ -50,7 +50,11 @@ spec: count: 1 ``` -## Rotate auto-generated credentials [k8s-rotate-credentials] +## ECK auto-generated credentials + +{{eck}} auto-generates credentials for the `elastic` user and other users. These credentials are stored in Kubernetes Secrets and are labeled with `eck.k8s.elastic.co/credentials=true`. + +### Rotating auto-generated credentials [k8s-rotate-credentials] You can force the auto-generated credentials to be regenerated with new values by deleting the appropriate Secret. For example, to change the password for the `elastic` user from the [quickstart example](/deploy-manage/deploy/cloud-on-k8s/elasticsearch-deployment-quickstart.md), use the following command: @@ -62,7 +66,6 @@ kubectl delete secret quickstart-es-elastic-user If you are using the `elastic` user credentials in your own applications, they will fail to connect to {{es}} and {{kib}} after you run this command. It is not recommended to use `elastic` user credentials for production use cases. Always [create your own users with restricted roles](../../../deploy-manage/users-roles/cluster-or-deployment-auth/native.md) to access {{es}}. :::: - To regenerate all auto-generated credentials in a namespace, run the following command: ```sh @@ -73,6 +76,19 @@ kubectl delete secret -l eck.k8s.elastic.co/credentials=true This command regenerates auto-generated credentials of **all** {{stack}} applications in the namespace. :::: +### Controlling the length of auto-generated passwords +```{applies_to} + eck: ga 2.2 +``` + +:::{note} +The ability to control the length of passwords for [file-based credentials](/deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md) generated by {{eck}} requires an Enterprise license. +::: + +You can control the length of generated file-based passwords in {{eck}} installations by setting either `config.policies.passwords.length` in your Helm chart values or `password-length` in the `elastic-operator` `ConfigMap` when installing with YAML manifests. Refer to the [operator configuration documentation](../../deploy/cloud-on-k8s/configure-eck.md) for details on managing these settings. + +Changing these values does not update existing passwords. To rotate current credentials, refer to the [rotating credentials documentation](#k8s-rotate-credentials) + ## Creating custom users {{eck}} provides functionality to facilitate custom user creation through various authentication realms. You can create users using the native realm, file realm, or external authentication methods. @@ -99,4 +115,4 @@ For more information, refer to [External authentication](/deploy-manage/users-ro ECK facilitates file-based role management through Kubernetes secrets containing the roles specification. Alternatively, you can use the Role management API or the Role management UI in {{kib}}. -Refer to [Managing custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#managing-custom-roles) for details and ECK based examples. \ No newline at end of file +Refer to [Managing custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#managing-custom-roles) for details and ECK based examples.