KubeDB

By AppsCode

github-icon twitterx-icon
TRY NOW FREE

New to KubeDB? Please start here.

Elasticsearch Recommendation

Overview

Elasticsearch Recommendation is a Kubernetes Custom Resource Definition (CRD) generated by the KubeDB Ops Manager. It continuously analyzes managed Elasticsearch clusters and produces actionable recommendations for essential maintenance and lifecycle operations.

These recommendations help operators proactively manage their database systems by identifying when to perform tasks such as:

  • Version upgrades
  • TLS certificate rotation
  • Authentication credential rotation

Each recommendation can be reviewed and executed manually or integrated into automated operational workflows, improving overall system reliability, security, and maintainability.

Recommendation Lifecycle

Prerequisites

Before proceeding, ensure that the following requirements are met:

  • A running Kubernetes cluster

  • kubectl configured to communicate with the cluster

  • A cluster provisioned using tools like kind (if not already available)

  • KubeDB operator installed following the guide here

  • Supervisor component enabled during installation:

  --set supervisor.enabled=true
  • A dedicated namespace for running examples:
$ kubectl create namespace demo
$ kubectl get namespace

Find Available StorageClass

We will have to provide StorageClass in Elasticsearch CRD specification. Check available StorageClass in your cluster using the following command,

$ kubectl get storageclass
NAME                   PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
local-path (default)   rancher.io/local-path   Delete          WaitForFirstConsumer   false                  5d2h

Here, we have local-path StorageClass in our cluster from Local Path Provisioner.

This document provides a high-level overview with illustrative examples. To fully understand and apply these recommendations in your database, follow the linked guides and the Recommendation Overview

Recommendation Types

KubeDB currently supports the following recommendation categories for Elasticsearch:

  1. Version Update Recommendation
  2. TLS Certificate Rotation Recommendation
  3. Authentication Secret Rotation Recommendation

These recommendations are generated based on cluster configuration, resource lifecycle, and predefined thresholds.

How Recommendations Are Generated

The recommendation engine evaluates specific fields within the Elasticsearch resource specification and triggers recommendations when defined thresholds are reached. In most cases, recommendations are generated after approximately two-thirds (2/3) of a resource’s lifecycle has elapsed.

Authentication Secret Rotation

apiVersion: kubedb.com/v1
kind: Elasticsearch
metadata:
  name: es-combined
  namespace: demo
spec:
  version: xpack-9.1.9
  authSecret:
    kind: secret
    name: es-auth
    rotateAfter: 1h
  replicas: 1
  storageType: Durable
  storage:
    storageClassName: local-path
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 1Gi
  deletionPolicy: WipeOut

In this configuration:

  • The rotateAfter field defines the validity period of the authentication secret
  • A rotation recommendation is generated after approximately 40 minutes (i.e., 2/3 of 1 hour)

TLS Certificate Rotation

apiVersion: kubedb.com/v1
kind: Elasticsearch
metadata:
  name: es-combined
  namespace: demo
spec:
  version: xpack-9.1.9
  enableSSL: true
  tls:
    issuerRef:
      apiGroup: cert-manager.io
      kind: Issuer
      name: ca-issuer
    certificates:
      - alias: client
        duration: 1h20m
      - alias: http
        duration: 2h10m
  replicas: 1
  storageType: Durable
  storage:
    storageClassName: local-path
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 1Gi
  deletionPolicy: WipeOut

In this case:

  • Certificate durations define their lifecycle
  • Recommendations are generated after approximately 2/3 of each certificate’s validity period
  • For example, a 1h20m certificate triggers a recommendation after roughly 54 minutes

Version Update Recommendation

apiVersion: kubedb.com/v1
kind: Elasticsearch
metadata:
  name: es-combined
  namespace: demo
spec:
  version: xpack-9.1.9
  enableSSL: true
  replicas: 1
  storageType: Durable
  storage:
    storageClassName: local-path
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 1Gi
  deletionPolicy: WipeOut

For version updates:

  • The recommendation engine continuously monitors the running version
  • It suggests upgrades when newer, supported, or more secure versions become available

What's on this Page

Search
Improve This Page