Please correct documentation at https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-snapshots.html#k8s-s3-compatible

[wortmanb]

Bug Report

What did you do? I followed the instructions at https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-snapshots.html#k8s-s3-compatible for adding an air-gapped S3 repo whose certificate was not in cacerts.

What did you expect to see? A successful deployment of our cluster and the ability to add the repo and verify it.

What did you see instead? Under which circumstances? The nodes failed because the instructions were incorrect:

1. The secret should be created as additional-certs, not as custom-truststore.
2. For customers on air-gapped networks especially, but any concerned about security, putting the ES_JAVA_OPTS value in secret is better, as it avoids placing the trust store password in cleartext. This could be listed as an option but should be included:

kubectl create secret generic env-es-java-opts --from-literal=java-opts='"-Djavax.net.ssl.trustStore=/usr/share/elasticsearch/config/custom-truststore/cacerts -Djavax.net.ssl.keyStorePassword=changeit""'

Then, add to your config:

env:
  - name: ES_JAVA_OPTS
    valueFrom:
      secretKeyRef:
        name: env-es-java-opts
        key: java-opts

Environment

• ECK version:

  2.12.2

• Kubernetes information:

  insert any information about your Kubernetes environment that could help us:

  • On premise ? YES
  • Cloud: GKE / EKS / AKS ? AWS Govcloud (air-gapped)
  • Kubernetes distribution: Openshift / Rancher / PKS ? Rancher

• See also:

https://github.com/elastic/cloud-on-k8s/issues/5652 https://github.com/elastic/cloud-on-k8s/pull/5969 https://github.com/elastic/cloud-on-k8s/issues/4175

[wortmanb]

I updated this to remove the YAML indentation request because I think this resulted from a disconnect between how this customer indents "-" characters and what YAML actually allows. There is no problem with the YAML as written.