-
Notifications
You must be signed in to change notification settings - Fork 181
Remote clusters - private CA connections and trusted environments management converted to snippets #3841
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Remote clusters - private CA connections and trusted environments management converted to snippets #3841
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
06fe323
private CA connections converted to snippets
eedugon 7d664ab
Merge remote-tracking branch 'origin/main' into remote_clusters_gener…
eedugon f7211a0
comments updated
eedugon 51e1b0e
extra snippet and refinement
eedugon d7e02b1
manage trusted environments converted to snippets
eedugon 34d823e
link fixed
eedugon bf9c2ec
Apply suggestions from code review
eedugon File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
37 changes: 37 additions & 0 deletions
37
deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-private.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| <!-- | ||
| This snippet is in use in the following locations: | ||
| - ece-remote-cluster-self-managed.md | ||
| - ece-remote-cluster-other-ece.md | ||
|
|
||
| It requires remote_type substitution to be defined | ||
| --> | ||
| 1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md). | ||
| 2. On the **Deployments** page, select your deployment. | ||
|
|
||
| Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters. | ||
|
|
||
| 3. Access the **Security** page of the deployment. | ||
| 4. Select **Remote Connections > Add trusted environment** and choose **{{remote_type}}**. Then click **Next**. | ||
| 5. Select **API keys** as authentication mechanism and click **Next**. | ||
| 6. When asked whether the Certificate Authority (CA) of the remote environment’s proxy or load-balancing infrastructure is public, select **No, it is private**. | ||
| 7. Add the API key: | ||
|
|
||
| 1. Fill both fields. | ||
|
|
||
| * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores. | ||
| * For the **Cross-cluster API key**, paste the encoded cross-cluster API key. | ||
|
|
||
| 2. Click **Add** to save the API key to the keystore. | ||
| 3. Repeat these steps for each API key you want to add. For example, if you want to use several clusters of the remote environment for CCR or CCS. | ||
|
|
||
| 8. Add the CA certificate of the remote environment. | ||
| 9. Provide a name for the trusted environment. That name will appear in the trust summary of your deployment's **Security** page. | ||
| 10. Select **Create trust** to complete the configuration. | ||
| 11. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**. | ||
|
|
||
| ::::{note} | ||
| If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys. | ||
| :::: | ||
|
|
||
| If you need to update the remote connection with different permissions later, refer to [Change a cross-cluster API key used for a remote connection](/deploy-manage/remote-clusters/ece-edit-remove-trusted-environment.md#edit-remove-trusted-environment-api-key). | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
36 changes: 36 additions & 0 deletions
36
deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-private.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| <!-- | ||
| This snippet is in use in the following locations: | ||
| - ec-remote-cluster-self-managed.md | ||
| - ec-remote-cluster-ece.md | ||
|
|
||
| It requires remote_type substitution to be defined | ||
| --> | ||
| 1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body). | ||
| 2. On the home page, find your hosted deployment and select **Manage** to access it directly. Or, select **Hosted deployments** to go to the **Hosted deployments** page to view all of your deployments. | ||
|
|
||
| On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list. | ||
|
|
||
| 3. From the navigation menu, select **Security**. | ||
| 4. Select **Remote Connections > Add trusted environment** and choose **{{remote_type}}**. Then click **Next**. | ||
| 5. Select **API keys** as authentication mechanism and click **Next**. | ||
| 6. When asked whether the Certificate Authority (CA) of the remote environment’s proxy or load-balancing infrastructure is public, select **No, it is private**. | ||
| 7. Add the API key: | ||
|
|
||
| 1. Fill both fields. | ||
|
|
||
| * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores. | ||
| * For the **Cross-cluster API key**, paste the encoded cross-cluster API key. | ||
|
|
||
| 2. Click **Add** to save the API key to the keystore. | ||
| 3. Repeat these steps for each API key you want to add. For example, if you want to use several clusters of the remote environment for CCR or CCS. | ||
|
|
||
| 8. Add the CA certificate of the remote environment. | ||
| 9. Provide a name for the trusted environment. That name will appear in the trust summary of your deployment's **Security** page. | ||
| 10. Select **Create trust** to complete the configuration. | ||
| 11. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**. | ||
|
|
||
| ::::{note} | ||
| If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys. | ||
| :::: | ||
|
|
||
| If you need to update the remote connection with different permissions later, refer to [Change a cross-cluster API key used for a remote connection](/deploy-manage/remote-clusters/ec-edit-remove-trusted-environment.md#edit-remove-trusted-environment-api-key). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
14 changes: 14 additions & 0 deletions
14
deploy-manage/remote-clusters/_snippets/retrieve-ece-ca.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| Before configuring the local deployment, retrieve the CA certificate of the remote ECE proxy. To find this certificate: | ||
|
|
||
| 1. In the remote ECE environment, go to **Platform > Settings > TLS certificates**. | ||
| 2. Select **Show certificate chain** under **Proxy**. | ||
| 3. Click **Copy root certificate** and paste it into a new file. The root certificate is the last certificate shown in the chain. | ||
|
|
||
| :::{image} /deploy-manage/images/cloud-remote-clusters-proxy-certificate.png | ||
| :alt: Certificate to copy from the chain | ||
| ::: | ||
|
|
||
| 4. Save that file as `.crt`. | ||
eedugon marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| You can now proceed to configure the local deployment. The CA file you just saved will be used in one of the following steps. | ||
eedugon marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
27 changes: 27 additions & 0 deletions
27
deploy-manage/remote-clusters/_snippets/trusted-environment-change-api-key.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| This section describes the steps to change the API key used for an existing remote connection. For example, if the previous key expired and you need to rotate it with a new one. | ||
|
|
||
| ::::{note} | ||
| If you need to update the permissions granted by a cross-cluster API key for a remote connection, you only need to update the privileges granted by the API key directly in {{kib}}. | ||
| :::: | ||
|
|
||
|
|
||
| 1. On the deployment you will use as remote, use the [{{es}} API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) or [{{kib}}](/deploy-manage/api-keys/elasticsearch-api-keys.md) to create a cross-cluster API key with the appropriate permissions. Configure it with access to the indices you want to use for {{ccs}} or {{ccr}}. | ||
| 2. Copy the encoded key (`encoded` in the response) to a safe location. You will need it in the next steps. | ||
| 3. From the navigation menu of your local deployment, select **Security** and locate the **Remote connections** section. | ||
| 4. Locate the API key currently used for connecting to the remote cluster, copy its current alias, and delete it. | ||
| 5. Add the new API key by selecting **Add API key**. | ||
|
|
||
| * For the **Remote cluster name**, enter the same alias that was used for the previous key. | ||
|
|
||
| ::::{note} | ||
| If you use a different alias, you also need to re-create the remote cluster in {{kib}} with a **Remote cluster name** that matches the new alias. | ||
| :::: | ||
|
|
||
| * For the **Cross-cluster API key**, paste the encoded cross-cluster API key, then click **Add** to save the API key to the keystore. | ||
|
|
||
| 6. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page (named after your deployment's name), locate the **Actions** menu, and select **Restart {{es}}**.<br> | ||
|
|
||
| ::::{note} | ||
| If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys. | ||
| :::: | ||
|
|
6 changes: 6 additions & 0 deletions
6
deploy-manage/remote-clusters/_snippets/trusted-environment-manage.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| From a deployment's **Security** page, you can manage trusted environments that were created previously. This can happen when: | ||
|
|
||
| * You no longer need a trusted environment and want to remove it. | ||
| * You want to refresh the certificate, or add or remove trusted deployments of an existing trusted environment relying on certificates as a security model. | ||
| * You want to remove or update the access level granted by a cross-cluster API key. | ||
|
|
17 changes: 17 additions & 0 deletions
17
deploy-manage/remote-clusters/_snippets/trusted-environment-remove-cert.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| By removing a trusted environment, this deployment will no longer be able to establish remote connections using certificate trust to clusters of that environment. The remote environment will also no longer be able to connect to this deployment using certificate trust. | ||
|
|
||
| ::::{note} | ||
| With this method, you can only remove trusted environments relying exclusively on certificates. To remove remote connections that use API keys for authentication, refer to [Change a cross-cluster API key used for a remote connection](#edit-remove-trusted-environment-api-key). | ||
| :::: | ||
|
|
||
| 1. Go to the deployment's **Security** page. | ||
| 2. In the list of trusted environments, locate the one you want to remove. | ||
| 3. Remove it using the corresponding `delete` icon. | ||
|
|
||
| :::{image} /deploy-manage/images/cloud-delete-trust-environment.png | ||
| :alt: button for deleting a trusted environment | ||
| ::: | ||
|
|
||
| 1. Go to the **Remote Clusters** management page in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). | ||
| 2. In the list of existing remote clusters, delete the ones corresponding to the trusted environment you removed earlier. | ||
|
|
15 changes: 15 additions & 0 deletions
15
deploy-manage/remote-clusters/_snippets/trusted-environment-update-cert.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| 1. Go to the deployment's **Security** page. | ||
| 2. In the list of trusted environments, locate the one you want to edit. | ||
| 3. Open its details by selecting the `Edit` icon. | ||
|
|
||
| :::{image} /deploy-manage/images/cloud-edit-trust-environment.png | ||
| :alt: button for editing a trusted environment | ||
| ::: | ||
|
|
||
| 4. Edit the trust configuration for that environment: | ||
|
|
||
| * From the **Trust level** tab, you can add or remove trusted deployments. | ||
| * From the **Environment settings** tab, you can manage the certificates and the label of the environment. | ||
|
|
||
| 5. Save your changes. | ||
|
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.