diff --git a/deploy-manage/remote-clusters/_snippets/rcs-elasticsearch-api-snippet-self.md b/deploy-manage/remote-clusters/_snippets/rcs-elasticsearch-api-snippet-self.md index a30bd8bea2..55b8e8f24b 100644 --- a/deploy-manage/remote-clusters/_snippets/rcs-elasticsearch-api-snippet-self.md +++ b/deploy-manage/remote-clusters/_snippets/rcs-elasticsearch-api-snippet-self.md @@ -27,8 +27,8 @@ PUT /_cluster/settings "remote": { "alias-for-my-remote-cluster": { // Align the alias with the remote cluster name used when adding the API key. "mode":"proxy", - "proxy_address": "a542184a7a7d45b88b83f95392f450ab.192.168.44.10.ip.es.io:9400", - "server_name": "a542184a7a7d45b88b83f95392f450ab.192.168.44.10.ip.es.io" + "proxy_address": ":9443", + "server_name": "" } } } diff --git a/deploy-manage/remote-clusters/_snippets/rcs-elasticsearch-api-snippet.md b/deploy-manage/remote-clusters/_snippets/rcs-elasticsearch-api-snippet.md index f2dac811ef..82167d9272 100644 --- a/deploy-manage/remote-clusters/_snippets/rcs-elasticsearch-api-snippet.md +++ b/deploy-manage/remote-clusters/_snippets/rcs-elasticsearch-api-snippet.md @@ -35,8 +35,8 @@ PUT /_cluster/settings "remote": { "alias-for-my-remote-cluster": { // Remote cluster alias "mode":"proxy", - "proxy_address": "a542184a7a7d45b88b83f95392f450ab.192.168.44.10.ip.es.io:9400", - "server_name": "a542184a7a7d45b88b83f95392f450ab.192.168.44.10.ip.es.io" + "proxy_address": ":9443", + "server_name": "" } } } diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md b/deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md index f18784711a..46939ae1a3 100644 --- a/deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md +++ b/deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md @@ -115,12 +115,12 @@ A deployment can be configured to trust all or specific deployments in any envir ```yaml instances: - name: "node1" - dns: ["node1.mydomain.com"] - ip: ["192.168.1.1"] + dns: [""] + ip: ["192.0.2.1"] cn: ["node1.node.1234567abcd.cluster.myscope.account"] - name: "node2" - dns: ["node2.mydomain.com"] - ip: ["192.168.1.2"] + dns: [""] + ip: ["192.0.2.2"] cn: ["node2.node.1234567abcd.cluster.myscope.account"] ``` @@ -129,18 +129,16 @@ A deployment can be configured to trust all or specific deployments in any envir * All the clusters in an {{ecloud}} region are signed by the same certificate authority. Therefore, adding this CA would make the self-managed cluster trust all the clusters in that region, including clusters from other organizations. This can be limited using the setting `xpack.security.transport.ssl.trust_restrictions.path` which points to a file that limits the certificates to trust based on their `otherName`-attribute. * For example, the following file would trust: - * two specific clusters with the cluster IDs `aaaabbbbaaaabbbb`<1> and `xxxxyyyyxxxxyyyy`<2> from an organization with organization ID `1053523734` - * <3> any cluster from an organization with organization ID `83988631` - * <4> The nodes from its own cluster (whose certificates follow a different convention: `CN = node1.example.com`, `CN = node2.example.com` and `CN = node3.example.com`) - - -``` - trust.subject_name: - - *.node.aaaabbbbaaaabbbb.cluster.1053523734.account - - *.node.xxxxyyyyxxxxyyyy.cluster.1053523734.account - - *.node.*.cluster.83988631.account - - node*.example.com -``` + ```yaml + trust.subject_name: + - *.node.aaaabbbbaaaabbbb.cluster.1053523734.account <1> + - *.node.xxxxyyyyxxxxyyyy.cluster.1053523734.account <1> + - *.node.*.cluster.83988631.account <2> + - node*. <3> + ``` + 1. Two specific clusters with cluster ids `aaaabbbbaaaabbbb` and `xxxxyyyyxxxxyyyy` in an ECE environment with Environment ID `1053523734` + 2. Any cluster from an ECE environment with Environment ID `83988631` + 3. The nodes from its own cluster (whose certificates follow a different convention: `CN = node1.`, `CN = node2.` and `CN = node3.`) ::::{tip} Generate new node certificates for an entire cluster using the file input mode of the certutil. @@ -150,7 +148,7 @@ Generate new node certificates for an entire cluster using the file input mode o ::::{dropdown} Using the API You can update a deployment using the appropriate trust settings for the {{es}} payload. -In order to trust a cluster whose nodes present certificates with the subject names: "CN = node1.example.com", "CN = node2.example.com" and "CN = node3.example.com" in a self-managed environment, you could update the trust settings with an additional direct trust relationship like this: +In order to trust a cluster whose nodes present certificates with the subject names: "CN = node1.", "CN = node2." and "CN = node3." in a self-managed environment, you could update the trust settings with an additional direct trust relationship like this: ```json { @@ -165,7 +163,7 @@ In order to trust a cluster whose nodes present certificates with the subject na { "type" : "generic", "name" : "My Self-managed environment", - "additional_node_names" : ["node1.example.com", "node2.example.com", "node3.example.com",], + "additional_node_names" : ["node1.", "node2.", "node3.",], "certificates" : [ { "pem" : "-----BEGIN CERTIFICATE-----\nMIIDTzCCA...H0=\n-----END CERTIFICATE-----" diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-self-managed.md b/deploy-manage/remote-clusters/ece-remote-cluster-self-managed.md index 40da4766a5..068163aabf 100644 --- a/deploy-manage/remote-clusters/ece-remote-cluster-self-managed.md +++ b/deploy-manage/remote-clusters/ece-remote-cluster-self-managed.md @@ -115,12 +115,12 @@ A deployment can be configured to trust all or specific deployments in any envir ```yaml instances: - name: "node1" - dns: ["node1.mydomain.com"] - ip: ["192.168.1.1"] + dns: [""] + ip: ["192.0.2.1"] cn: ["node1.node.1234567abcd.cluster.myscope.account"] - name: "node2" - dns: ["node2.mydomain.com"] - ip: ["192.168.1.2"] + dns: [""] + ip: ["192.0.2.2"] cn: ["node2.node.1234567abcd.cluster.myscope.account"] ``` @@ -129,17 +129,16 @@ A deployment can be configured to trust all or specific deployments in any envir * All the clusters in your {{ece}} environment are signed by the same certificate authority. Therefore, adding this CA would make the self-managed cluster trust all your clusters in your ECE environment. This should be limited using the setting `xpack.security.transport.ssl.trust_restrictions.path` in [`elasticsearch.yml`](/deploy-manage/stack-settings.md), which points to a file that limits the certificates to trust based on their `otherName`-attribute. * For example, the following file would trust: - ```yaml - trust.subject_name: - - *.node.aaaabbbbaaaabbbb.cluster.1053523734.account <1> - - *.node.xxxxyyyyxxxxyyyy.cluster.1053523734.account <1> - - *.node.*.cluster.83988631.account <2> - - node*.example.com <4> - ``` - - 1. two specific clusters with cluster ids `aaaabbbbaaaabbbb` and `xxxxyyyyxxxxyyyy` in an ECE environment with Environment ID `1053523734` - 2. any cluster from an ECE environment with Environment ID `83988631` - 3. the nodes from its own cluster (whose certificates follow a different convention: `CN = node1.example.com`, `CN = node2.example.com` and `CN = node3.example.com`) + ```yaml + trust.subject_name: + - *.node.aaaabbbbaaaabbbb.cluster.1053523734.account <1> + - *.node.xxxxyyyyxxxxyyyy.cluster.1053523734.account <1> + - *.node.*.cluster.83988631.account <2> + - node*. <3> + ``` + 1. Two specific clusters with cluster ids `aaaabbbbaaaabbbb` and `xxxxyyyyxxxxyyyy` in an ECE environment with Environment ID `1053523734` + 2. Any cluster from an ECE environment with Environment ID `83988631` + 3. The nodes from its own cluster (whose certificates follow a different convention: `CN = node1.`, `CN = node2.` and `CN = node3.`) ::::{tip} Generate new node certificates for an entire cluster using the file input mode of the certutil. @@ -149,7 +148,7 @@ Generate new node certificates for an entire cluster using the file input mode o ::::{dropdown} Using the API You can update a deployment using the appropriate trust settings for the {{es}} payload. -In order to trust a cluster whose nodes present certificates with the subject names: "CN = node1.example.com", "CN = node2.example.com" and "CN = node3.example.com" in a self-managed environment, you could update the trust settings with an additional direct trust relationship like this: +In order to trust a cluster whose nodes present certificates with the subject names: "CN = node1.", "CN = node2." and "CN = node3." in a self-managed environment, you could update the trust settings with an additional direct trust relationship like this: ```json { @@ -164,7 +163,7 @@ In order to trust a cluster whose nodes present certificates with the subject na { "type" : "generic", "name" : "My Self-managed environment", - "additional_node_names" : ["node1.example.com", "node2.example.com", "node3.example.com",], + "additional_node_names" : ["node1.", "node2.", "node3.",], "certificates" : [ { "pem" : "-----BEGIN CERTIFICATE-----\nMIIDTzCCA...H0=\n-----END CERTIFICATE-----" diff --git a/deploy-manage/remote-clusters/remote-clusters-api-key.md b/deploy-manage/remote-clusters/remote-clusters-api-key.md index e6406c64a5..5f3ea695d1 100644 --- a/deploy-manage/remote-clusters/remote-clusters-api-key.md +++ b/deploy-manage/remote-clusters/remote-clusters-api-key.md @@ -76,7 +76,7 @@ If a remote cluster is part of an {{ech}} (ECH) deployment, the remote cluster s 3. Generate a certificate and private key pair for the nodes in the remote cluster: ```sh - ./bin/elasticsearch-certutil cert --out=cross-cluster.p12 --pass=CERT_PASSWORD --ca-cert=ca/ca.crt --ca-key=ca/ca.key --ca-pass=CA_PASSWORD --dns=example.com --ip=127.0.0.1 + ./bin/elasticsearch-certutil cert --out=cross-cluster.p12 --pass=CERT_PASSWORD --ca-cert=ca/ca.crt --ca-key=ca/ca.key --ca-pass=CA_PASSWORD --dns= --ip=192.0.2.1 ``` * Replace `CA_PASSWORD` with the CA password from the previous step. @@ -158,7 +158,7 @@ To add a remote cluster from Stack Management in {{kib}}: 2. Select **Add a remote cluster**. 3. Select **API keys** as the connection type. 4. Enter a name (*cluster alias*) for the remote cluster. -5. Specify the {{es}} endpoint URL, or the IP address or host name of the remote cluster followed by the remote cluster port (defaults to `9443`). For example, `cluster.es.eastus2.staging.azure.foundit.no:9443` or `192.168.1.1:9443`. +5. Specify the {{es}} endpoint URL, or the IP address or host name of the remote cluster followed by the remote cluster port (defaults to `9443`). For example, `cluster.es.eastus2.staging.azure.foundit.no:9443` or `192.0.2.1:9443`. Starting with {{kib}} 9.2, you can also specify IPv6 addresses. @@ -180,7 +180,7 @@ PUT /_cluster/settings "remote" : { "cluster_one" : { <1> "seeds" : [ - "127.0.0.1:9443" <2> + ":9443" <2> ] } } @@ -205,7 +205,7 @@ The API response indicates that the local cluster is connected to the remote clu { "cluster_one" : { "seeds" : [ - "127.0.0.1:9443" + ":9443" ], "connected" : true, "num_nodes_connected" : 1, <1> @@ -239,20 +239,20 @@ PUT _cluster/settings "remote": { "cluster_one": { "seeds": [ - "127.0.0.1:9443" + ":9443" ] }, "cluster_two": { "mode": "sniff", "seeds": [ - "127.0.0.1:9444" + ":9443" ], "transport.compress": true, "skip_unavailable": true }, "cluster_three": { "mode": "proxy", - "proxy_address": "127.0.0.1:9445" + "proxy_address": ":9443" } } } @@ -322,15 +322,15 @@ In the following example, `cluster_one`, `cluster_two`, and `cluster_three` are cluster: remote: cluster_one: - seeds: 127.0.0.1:9443 + seeds: :9443 cluster_two: mode: sniff - seeds: 127.0.0.1:9444 + seeds: :9443 transport.compress: true <1> skip_unavailable: true <2> cluster_three: mode: proxy - proxy_address: 127.0.0.1:9445 <3> + proxy_address: :9443 <3> ``` 1. Compression is explicitly enabled for requests to `cluster_two`. diff --git a/deploy-manage/remote-clusters/remote-clusters-cert.md b/deploy-manage/remote-clusters/remote-clusters-cert.md index 48448af8bd..e3618f7dfe 100644 --- a/deploy-manage/remote-clusters/remote-clusters-cert.md +++ b/deploy-manage/remote-clusters/remote-clusters-cert.md @@ -68,7 +68,7 @@ To add a remote cluster from Stack Management in {{kib}}: 2. Select **Add a remote cluster**. 3. Select **Certificates** as the connection type. 4. Enter a name (*cluster alias*) for the remote cluster. -5. Specify the {{es}} endpoint URL, or the IP address or host name of the remote cluster followed by the transport port (defaults to `9300`). For example, `cluster.es.eastus2.staging.azure.foundit.no:9300` or `192.168.1.1:9300`. +5. Specify the {{es}} endpoint URL, or the IP address or host name of the remote cluster followed by the transport port (defaults to `9300`). For example, `cluster.es.eastus2.staging.azure.foundit.no:9300` or `192.0.2.1:9300`. Starting with {{kib}} 9.2, you can also specify IPv6 addresses. @@ -86,7 +86,7 @@ PUT /_cluster/settings "remote" : { "cluster_one" : { <1> "seeds" : [ - "127.0.0.1:9300" <2> + ":9300" <2> ] } } @@ -96,7 +96,7 @@ PUT /_cluster/settings ``` 1. The cluster alias of this remote cluster is `cluster_one`. -2. Specifies the hostname and transport port of a seed node in the remote cluster. +2. Specifies the hostname and transport port of at least a seed node in the remote cluster. You can use the [remote cluster info API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-cluster-remote-info) to verify that the local cluster is successfully connected to the remote cluster: @@ -111,7 +111,7 @@ The API response indicates that the local cluster is connected to the remote clu { "cluster_one" : { "seeds" : [ - "127.0.0.1:9300" + ":9300" ], "connected" : true, "num_nodes_connected" : 1, <1> @@ -143,20 +143,20 @@ PUT _cluster/settings "remote": { "cluster_one": { "seeds": [ - "127.0.0.1:9300" + ":9300" ] }, "cluster_two": { "mode": "sniff", "seeds": [ - "127.0.0.1:9301" + ":9300" ], "transport.compress": true, "skip_unavailable": true }, "cluster_three": { "mode": "proxy", - "proxy_address": "127.0.0.1:9302" + "proxy_address": ":9300" } } } @@ -226,15 +226,15 @@ In the following example, `cluster_one`, `cluster_two`, and `cluster_three` are cluster: remote: cluster_one: - seeds: 127.0.0.1:9300 + seeds: :9300 cluster_two: mode: sniff - seeds: 127.0.0.1:9301 + seeds: :9300 transport.compress: true <1> skip_unavailable: true <2> cluster_three: mode: proxy - proxy_address: 127.0.0.1:9302 <3> + proxy_address: :9300 <3> ``` 1. Compression is explicitly enabled for requests to `cluster_two`. diff --git a/deploy-manage/remote-clusters/remote-clusters-migrate.md b/deploy-manage/remote-clusters/remote-clusters-migrate.md index f7cfbdb459..9753902523 100644 --- a/deploy-manage/remote-clusters/remote-clusters-migrate.md +++ b/deploy-manage/remote-clusters/remote-clusters-migrate.md @@ -69,7 +69,7 @@ On the remote cluster: 3. Generate a certificate and private key pair for the nodes in the remote cluster: ```sh - ./bin/elasticsearch-certutil cert --out=cross-cluster.p12 --pass=CERT_PASSWORD --ca-cert=ca/ca.crt --ca-key=ca/ca.key --ca-pass=CA_PASSWORD --dns=example.com --ip=127.0.0.1 + ./bin/elasticsearch-certutil cert --out=cross-cluster.p12 --pass=CERT_PASSWORD --ca-cert=ca/ca.crt --ca-key=ca/ca.key --ca-pass=CA_PASSWORD --dns= --ip=192.0.2.1 ``` * Replace `CA_PASSWORD` with the CA password from the previous step. @@ -169,7 +169,7 @@ On the local cluster: "remote" : { "my_remote" : { <1> "mode": "proxy", - "proxy_address": "my.remote.cluster.com:9443" <2> + "proxy_address": ":9443" <2> } } } @@ -198,7 +198,7 @@ On the local cluster: "my_remote": { "connected": true, <1> "mode": "proxy", - "proxy_address": "my.remote.cluster.com:9443", + "proxy_address": ":9443", "server_name": "", "num_proxy_sockets_connected": 0, "max_proxy_socket_connections": 18,