Elasticsearch client certificate authentication on ECK

For how ECK secures HTTP traffic and manages TLS certificates, see Manage TLS certificates on ECK.

You can configure Elasticsearch to require client certificates for HTTP authentication, enabling mutual TLS (mTLS) between clients and Elasticsearch. When enabled, clients must present a valid certificate signed by a trusted CA to communicate with Elasticsearch.

Currently, the only supported client is Kibana. Other workloads that connect to Elasticsearch over HTTP are not configured automatically; they must present a certificate trusted by Elasticsearch (for example by adding a client certificate Secret that ECK aggregates into the trust bundle), or the connection is rejected.

Note

This requires a valid Enterprise license or Enterprise trial license. Check the license documentation for more details about managing licenses.

Enable client certificate authentication

To enable client certificate authentication on Elasticsearch, set spec.http.tls.client.authentication to true:

		apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 9.4.0
  nodeSets:
  - name: default
    count: 3
  http:
    tls:
      client:
        authentication: true
		
	

When client authentication is enabled, ECK does the following:

Sets xpack.security.http.ssl.client_authentication: required in the Elasticsearch configuration.
Generates and manages a client certificate for the ECK operator so it can continue communicating with Elasticsearch.
Generates a client certificate for Kibana and configures it to present that certificate when connecting to Elasticsearch.
Aggregates client certificates from Kubernetes secrets labeled with eck.k8s.elastic.co/client-certificate: true into a trust bundle mounted into Elasticsearch pods. The corresponding Elasticsearch cluster soft-owner labels are also included in this bundle.

Use a custom client certificate for Kibana

When Elasticsearch requires client authentication, ECK automatically generates a client certificate for Kibana and configures it to present that certificate when connecting to Elasticsearch. No additional configuration is needed.

To use your own client certificate instead of the one generated by ECK, reference a Kubernetes secret containing the certificate and key in the elasticsearchRef:

		apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: quickstart
spec:
  version: 9.4.0
  count: 1
  elasticsearchRef:
    name: quickstart
    clientCertificateSecretName: my-custom-client-cert
		
	

The referenced secret must contain tls.crt and tls.key entries:

		apiVersion: v1
kind: Secret
metadata:
  name: my-custom-client-cert
type: kubernetes.io/tls
data:
  tls.crt: <base64-encoded certificate>
  tls.key: <base64-encoded private key>
		
	

Note

The clientCertificateSecretName field can only be used with a named elasticsearchRef (not with secretName).

Disable client certificate authentication

To turn off client certificate authentication, set the field to false or remove it:

		http:
  tls:
    client:
      authentication: false
		
	

ECK handles the transition gracefully, deferring cleanup of mTLS resources until all pods have rolled over to ensure connectivity is maintained throughout the configuration change.