Manage TLS certificates on ECK

All Elastic Stack resources deployed by the ECK operator are secured by default. The operator sets up basic authentication and TLS to encrypt network traffic to, from, and within your Elasticsearch cluster and Kibana instances.

Refer to Communication channels for an overview about the different endpoints and traffic flows to secure.

Elasticsearch transport security and TLS certificates are automatically configured by the operator, but you can still customize the Elasticsearch transport service, certificate authority, and certificates.

HTTP TLS is automatically enabled for Elasticsearch and Kibana using self-signed certificates, with several options available for customization, including custom certificates and domain names.

Kibana instances are automatically configured to connect securely to Elasticsearch, without requiring manual setup.

You can require Elasticsearch HTTP clients to present TLS client certificates (mutual TLS). For configuration details, see Elasticsearch client certificate authentication on ECK.

ECK provides flexible options for managing SSL certificates in your deployments, including automatic certificate generation and rotation, integration with external tools like cert-manager, or using your own custom certificates. Custom HTTP certificates require manual management.

ECK automatically rotates any certificates and CAs that were generated by the operator and are under its management.

For certificate management configuration options, refer to ECK configuration flags.