Skip to content

Commit 7e362f8

Browse files
Fix Elasticsearch auth helm steps in doc
1 parent 1149eac commit 7e362f8

2 files changed

Lines changed: 58 additions & 59 deletions

File tree

deploy/helm/nvidia-blueprint-rag/values.yaml

Lines changed: 15 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -492,26 +492,25 @@ eck-elasticsearch:
492492
count: 1
493493
config:
494494
node.store.allow_mmap: false
495-
# Disable X-Pack security completely for development
496495
xpack.security.enabled: false
497496
xpack.security.http.ssl.enabled: false
498497
xpack.security.transport.ssl.enabled: false
499498
podTemplate:
500-
spec:
501-
containers:
502-
- name: elasticsearch
503-
# Override readiness probe to not require authentication
504-
readinessProbe:
505-
exec:
506-
command:
507-
- bash
508-
- -c
509-
- |
510-
curl -s http://localhost:9200/_cluster/health | grep -q '"status":"green"\|"status":"yellow"'
511-
initialDelaySeconds: 10
512-
periodSeconds: 10
513-
timeoutSeconds: 5
514-
failureThreshold: 3
499+
spec:
500+
containers:
501+
- name: elasticsearch
502+
# Override readiness probe to not require authentication
503+
readinessProbe:
504+
exec:
505+
command:
506+
- bash
507+
- -c
508+
- |
509+
curl -s http://localhost:9200/_cluster/health | grep -q '"status":"green"\|"status":"yellow"'
510+
initialDelaySeconds: 15
511+
periodSeconds: 10
512+
timeoutSeconds: 5
513+
failureThreshold: 3
515514

516515
# -- Observability
517516
# subsection: serviceMonitor

docs/change-vectordb.md

Lines changed: 43 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,7 @@ If you're using Helm for deployment, use the following steps to configure Elasti
109109
# Expected output: elastic-operator-0 1/1 Running
110110
111111
# Verify ECK operator is ready
112-
kubectl wait --for=condition=ready pod -l control-plane=elastic-operator -n elastic-system --timeout=300s
112+
kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=elastic-operator -n elastic-system --timeout=300s
113113
```
114114

115115
### Configuration Steps
@@ -151,7 +151,6 @@ If you're using Helm for deployment, use the following steps to configure Elasti
151151
node.store.allow_mmap: false
152152
# Disable authentication for easier setup (default)
153153
xpack.security.enabled: false
154-
xpack.security.http.ssl.enabled: false
155154
xpack.security.transport.ssl.enabled: false
156155
```
157156

@@ -215,11 +214,11 @@ curl -X GET "localhost:9200/_cluster/health?pretty"
215214
kubectl get pods -n rag | grep elasticsearch
216215
217216
# 2. Run the following command, replacing <elasticsearch-pod-name> with the actual pod name:
218-
# Common pod names: elasticsearch-es-default-0, rag-eck-elasticsearch-es-default-0
219-
kubectl exec -n rag -it <elasticsearch-pod-name> -- curl -X GET "localhost:9200/_cluster/health?pretty"
217+
# Use the pod name from step 1 (e.g. rag-eck-elasticsearch-es-default-0)
218+
kubectl exec -n rag <elasticsearch-pod-name> -- curl -s "localhost:9200/_cluster/health?pretty"
220219
221-
# Alternative: Port-forward and test from your machine
222-
kubectl port-forward -n rag svc/elasticsearch-es-http 9200:9200 &
220+
# Alternative: Port-forward and test from your machine (service name uses Helm release prefix)
221+
kubectl port-forward -n rag svc/rag-eck-elasticsearch-es-http 9200:9200 &
223222
curl -X GET "localhost:9200/_cluster/health?pretty"
224223
```
225224

@@ -289,7 +288,7 @@ If security is enabled, create an API key using either curl. You need a user wit
289288
#### 1. Using curl (replace credentials and URL as appropriate):
290289
```bash
291290
# If running inside the cluster, port-forward first:
292-
# kubectl -n rag port-forward svc/elasticsearch-es-http 9200:9200
291+
# kubectl -n rag port-forward svc/rag-eck-elasticsearch-es-http 9200:9200
293292
294293
curl -u elastic:your-secure-password \
295294
-X POST "http://127.0.0.1:9200/_security/api_key" \
@@ -365,36 +364,49 @@ Follow these steps to enable authentication for Elasticsearch in your Helm deplo
365364

366365
#### 1. Enable Elasticsearch Authentication
367366

368-
Edit [`values.yaml`](../deploy/helm/nvidia-blueprint-rag/values.yaml) to enable X-Pack security:
367+
Edit [`values.yaml`](../deploy/helm/nvidia-blueprint-rag/values.yaml) to enable X-Pack security. Set the following explicitly:
369368

370369
```yaml
371370
eck-elasticsearch:
372-
enabled: true
373-
http:
374-
tls:
375-
selfSignedCertificate:
376-
disabled: true # Keep TLS disabled for easier HTTP access
377371
nodeSets:
378372
- name: default
379-
count: 1
380373
config:
381374
node.store.allow_mmap: false
382-
# Enable X-Pack security for authentication
383375
xpack.security.enabled: true
384-
# Keep SSL/TLS disabled for HTTP
385-
xpack.security.http.ssl.enabled: false
386-
xpack.security.transport.ssl.enabled: false
376+
xpack.security.transport.ssl.enabled: true
387377
```
388378

389379
:::{important}
390380
**Key Configuration Flags:**
391-
- `xpack.security.enabled: true` - Enables authentication (default user: `elastic`)
392-
- `xpack.security.http.ssl.enabled: false` - Disables HTTPS (uses HTTP for simplicity)
393-
- `xpack.security.transport.ssl.enabled: false` - Disables SSL for node-to-node communication
394-
- `http.tls.selfSignedCertificate.disabled: true` - Disables ECK's automatic TLS certificate generation
381+
- `xpack.security.enabled: true` - Enables authentication (default user: `elastic`). Set this explicitly.
382+
- `xpack.security.transport.ssl.enabled: true` - Enables SSL for node-to-node communication. Set this explicitly.
395383
:::
396384

397-
#### 2. Deploy with Authentication Enabled
385+
#### 2. Replace Readiness Probe When Security Is Enabled
386+
387+
When X-Pack security is enabled, replace the current `readinessProbe` section under `eck-elasticsearch.nodeSets[0]` in [`values.yaml`](../deploy/helm/nvidia-blueprint-rag/values.yaml) with the ECK default probe (so the pod uses the readiness port script instead of an unauthenticated curl check). Ensure the following `podTemplate` is present under the same `nodeSets` entry:
388+
389+
```yaml
390+
eck-elasticsearch:
391+
nodeSets:
392+
- name: default
393+
podTemplate:
394+
spec:
395+
containers:
396+
- name: elasticsearch
397+
readinessProbe:
398+
exec:
399+
command:
400+
- bash
401+
- -c
402+
- /mnt/elastic-internal/scripts/readiness-port-script.sh
403+
initialDelaySeconds: 10
404+
periodSeconds: 5
405+
timeoutSeconds: 5
406+
failureThreshold: 3
407+
```
408+
409+
#### 3. Deploy with Authentication Enabled
398410

399411
After modifying [`values.yaml`](../deploy/helm/nvidia-blueprint-rag/values.yaml), apply the changes as described in [Change a Deployment](deploy-helm.md#change-a-deployment).
400412

@@ -426,45 +438,33 @@ echo "Elasticsearch password: $ES_PASSWORD"
426438
Save this password securely. The password is auto-generated by ECK and persists across pod restarts unless the secret is deleted.
427439
:::
428440

429-
#### 4. Update Deployment with Credentials
441+
#### 5. Update Deployment with Credentials
430442

431443
Configure the RAG server and ingestor-server to use the retrieved credentials.
444+
**Update values.yaml (Recommended for Production)**
432445

433-
**Option A: Update via Helm Command Line (Quick)**
434-
435-
```bash
436-
# Retrieve the password
437-
ES_PASSWORD=$(kubectl get secret rag-eck-elasticsearch-es-elastic-user -n rag -o jsonpath='{.data.elastic}' | base64 -d)
438-
439-
# Upgrade deployment with credentials
440-
helm upgrade --install rag -n rag nvidia-blueprint-rag/ \
441-
--set imagePullSecret.password=$NGC_API_KEY \
442-
--set ngcApiSecret.password=$NGC_API_KEY \
443-
--set envVars.APP_VECTORSTORE_USERNAME="elastic" \
444-
--set envVars.APP_VECTORSTORE_PASSWORD="$ES_PASSWORD" \
445-
--set ingestor-server.envVars.APP_VECTORSTORE_USERNAME="elastic" \
446-
--set ingestor-server.envVars.APP_VECTORSTORE_PASSWORD="$ES_PASSWORD"
447-
```
446+
Edit [`values.yaml`](../deploy/helm/nvidia-blueprint-rag/values.yaml) and set the following **new** values for Elasticsearch authentication:
448447

449-
**Option B: Update values.yaml (Recommended for Production)**
448+
- **APP_VECTORSTORE_USERNAME:** set to `"elastic"` (the default Elasticsearch superuser).
449+
- **APP_VECTORSTORE_PASSWORD:** set to the password you retrieved in step 4 (i.e. the value of `$ES_PASSWORD`, or paste the output of the `kubectl get secret ... -o jsonpath='{.data.elastic}' | base64 -d` command).
450450

451-
Edit [`values.yaml`](../deploy/helm/nvidia-blueprint-rag/values.yaml) with the credentials:
451+
Example (replace `your-retrieved-password` with your actual `$ES_PASSWORD`):
452452

453453
```yaml
454454
# RAG Server configuration
455455
envVars:
456456
APP_VECTORSTORE_URL: "http://rag-eck-elasticsearch-es-http:9200"
457457
APP_VECTORSTORE_NAME: "elasticsearch"
458458
APP_VECTORSTORE_USERNAME: "elastic"
459-
APP_VECTORSTORE_PASSWORD: "your-retrieved-password"
459+
APP_VECTORSTORE_PASSWORD: "your-retrieved-password" # use $ES_PASSWORD from step 3
460460
461461
# Ingestor Server configuration
462462
ingestor-server:
463463
envVars:
464464
APP_VECTORSTORE_URL: "http://rag-eck-elasticsearch-es-http:9200"
465465
APP_VECTORSTORE_NAME: "elasticsearch"
466466
APP_VECTORSTORE_USERNAME: "elastic"
467-
APP_VECTORSTORE_PASSWORD: "your-retrieved-password"
467+
APP_VECTORSTORE_PASSWORD: "your-retrieved-password" # use $ES_PASSWORD from step 3
468468
```
469469

470470
Then apply the changes as described in [Change a Deployment](deploy-helm.md#change-a-deployment).

0 commit comments

Comments
 (0)