Skip to content

Update ECK documentation for rotating credentials. #3488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update ECK documentation for rotating credentials. #3488

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions deploy-manage/users-roles/cluster-or-deployment-auth/managed-credentials-eck.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,13 +66,17 @@ If you are using the `elastic` user credentials in your own applications, they w
To regenerate all auto-generated credentials in a namespace, run the following command:

```sh
kubectl delete secret -l eck.k8s.elastic.co/credentials=true
kubectl delete secret -l eck.k8s.elastic.co/credentials=true,common.k8s.elastic.co/type!=kibana
```

::::{warning}
This command regenerates auto-generated credentials of **all** {{stack}} applications in the namespace.
::::

:::{note}
Previous documentation suggested deleting all secrets with the label `eck.k8s.elastic.co/credentials=true`, which included the Kibana secret that contained encryption keys. Deletion of the Kibana config secret is not recommended.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't love the wording here. Suggestions welcome.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest not referring to the previous docs when making corrections - if people think they saw something here previously, they can look in the git history. instead, we can tell them what to avoid and why. something like:

Suggested change
Previous documentation suggested deleting all secrets with the label `eck.k8s.elastic.co/credentials=true`, which included the Kibana secret that contained encryption keys. Deletion of the Kibana config secret is not recommended.
When deleting secrets so they can be regenerated, make sure to exclude {{kib}} secrets by specifying `type!=kibana`. {{kib}} secrets contain encryption keys, which should not be deleted.

:::

## Creating custom users

{{eck}} provides functionality to facilitate custom user creation through various authentication realms. You can create users using the native realm, file realm, or external authentication methods.
Expand All @@ -99,4 +103,4 @@ For more information, refer to [External authentication](/deploy-manage/users-ro

ECK facilitates file-based role management through Kubernetes secrets containing the roles specification. Alternatively, you can use the Role management API or the Role management UI in {{kib}}.

Refer to [Managing custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#managing-custom-roles) for details and ECK based examples.
Refer to [Managing custom roles](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#managing-custom-roles) for details and ECK based examples.