@@ -109,7 +109,7 @@ If you're using Helm for deployment, use the following steps to configure Elasti
109109 # Expected output: elastic-operator-0 1/1 Running
110110
111111 # Verify ECK operator is ready
112- kubectl wait --for=condition=ready pod -l control-plane =elastic-operator -n elastic-system --timeout=300s
112+ kubectl wait --for=condition=ready pod -l app.kubernetes.io/name =elastic-operator -n elastic-system --timeout=300s
113113 ` ` `
114114
115115# ## Configuration Steps
@@ -151,7 +151,6 @@ If you're using Helm for deployment, use the following steps to configure Elasti
151151 node.store.allow_mmap: false
152152 # Disable authentication for easier setup (default)
153153 xpack.security.enabled: false
154- xpack.security.http.ssl.enabled: false
155154 xpack.security.transport.ssl.enabled: false
156155 ` ` `
157156
@@ -215,11 +214,11 @@ curl -X GET "localhost:9200/_cluster/health?pretty"
215214kubectl get pods -n rag | grep elasticsearch
216215
217216# 2. Run the following command, replacing <elasticsearch-pod-name> with the actual pod name:
218- # Common pod names: elasticsearch-es-default-0, rag-eck-elasticsearch-es-default-0
219- kubectl exec -n rag -it < elasticsearch-pod-name> -- curl -X GET " localhost:9200/_cluster/health?pretty"
217+ # Use the pod name from step 1 (e.g. rag-eck-elasticsearch-es-default-0)
218+ kubectl exec -n rag < elasticsearch-pod-name> -- curl -s " localhost:9200/_cluster/health?pretty"
220219
221- # Alternative: Port-forward and test from your machine
222- kubectl port-forward -n rag svc/elasticsearch-es-http 9200:9200 &
220+ # Alternative: Port-forward and test from your machine (service name uses Helm release prefix)
221+ kubectl port-forward -n rag svc/rag-eck- elasticsearch-es-http 9200:9200 &
223222curl -X GET " localhost:9200/_cluster/health?pretty"
224223` ` `
225224
@@ -289,7 +288,7 @@ If security is enabled, create an API key using either curl. You need a user wit
289288# ### 1. Using curl (replace credentials and URL as appropriate):
290289` ` ` bash
291290# If running inside the cluster, port-forward first:
292- # kubectl -n rag port-forward svc/elasticsearch-es-http 9200:9200
291+ # kubectl -n rag port-forward svc/rag-eck- elasticsearch-es-http 9200:9200
293292
294293curl -u elastic:your-secure-password \
295294 -X POST " http://127.0.0.1:9200/_security/api_key" \
@@ -365,36 +364,49 @@ Follow these steps to enable authentication for Elasticsearch in your Helm deplo
365364
366365# ### 1. Enable Elasticsearch Authentication
367366
368- Edit [` values.yaml` ](../deploy/helm/nvidia-blueprint-rag/values.yaml) to enable X-Pack security:
367+ Edit [` values.yaml` ](../deploy/helm/nvidia-blueprint-rag/values.yaml) to enable X-Pack security. Set the following explicitly :
369368
370369` ` ` yaml
371370eck-elasticsearch:
372- enabled: true
373- http:
374- tls:
375- selfSignedCertificate:
376- disabled: true # Keep TLS disabled for easier HTTP access
377371 nodeSets:
378372 - name: default
379- count: 1
380373 config:
381374 node.store.allow_mmap: false
382- # Enable X-Pack security for authentication
383375 xpack.security.enabled: true
384- # Keep SSL/TLS disabled for HTTP
385- xpack.security.http.ssl.enabled: false
386- xpack.security.transport.ssl.enabled: false
376+ xpack.security.transport.ssl.enabled: true
387377` ` `
388378
389379:::{important}
390380** Key Configuration Flags:**
391- - ` xpack.security.enabled: true` - Enables authentication (default user: ` elastic` )
392- - ` xpack.security.http.ssl.enabled: false` - Disables HTTPS (uses HTTP for simplicity)
393- - ` xpack.security.transport.ssl.enabled: false` - Disables SSL for node-to-node communication
394- - ` http.tls.selfSignedCertificate.disabled: true` - Disables ECK' s automatic TLS certificate generation
381+ - ` xpack.security.enabled: true` - Enables authentication (default user: ` elastic` ). Set this explicitly.
382+ - ` xpack.security.transport.ssl.enabled: true` - Enables SSL for node-to-node communication. Set this explicitly.
395383:::
396384
397- #### 2. Deploy with Authentication Enabled
385+ # ### 2. Replace Readiness Probe When Security Is Enabled
386+
387+ When X-Pack security is enabled, replace the current ` readinessProbe` section under ` eck-elasticsearch.nodeSets[0]` in [` values.yaml` ](../deploy/helm/nvidia-blueprint-rag/values.yaml) with the ECK default probe (so the pod uses the readiness port script instead of an unauthenticated curl check). Ensure the following ` podTemplate` is present under the same ` nodeSets` entry:
388+
389+ ` ` ` yaml
390+ eck-elasticsearch:
391+ nodeSets:
392+ - name: default
393+ podTemplate:
394+ spec:
395+ containers:
396+ - name: elasticsearch
397+ readinessProbe:
398+ exec:
399+ command:
400+ - bash
401+ - -c
402+ - /mnt/elastic-internal/scripts/readiness-port-script.sh
403+ initialDelaySeconds: 10
404+ periodSeconds: 5
405+ timeoutSeconds: 5
406+ failureThreshold: 3
407+ ` ` `
408+
409+ # ### 3. Deploy with Authentication Enabled
398410
399411After modifying [` values.yaml` ](../deploy/helm/nvidia-blueprint-rag/values.yaml), apply the changes as described in [Change a Deployment](deploy-helm.md#change-a-deployment).
400412
@@ -426,45 +438,33 @@ echo "Elasticsearch password: $ES_PASSWORD"
426438Save this password securely. The password is auto-generated by ECK and persists across pod restarts unless the secret is deleted.
427439:::
428440
429- #### 4 . Update Deployment with Credentials
441+ # ### 5 . Update Deployment with Credentials
430442
431443Configure the RAG server and ingestor-server to use the retrieved credentials.
444+ ** Update values.yaml (Recommended for Production)**
432445
433- **Option A: Update via Helm Command Line (Quick)**
434-
435- ```bash
436- # Retrieve the password
437- ES_PASSWORD=$(kubectl get secret rag-eck-elasticsearch-es-elastic-user -n rag -o jsonpath=' {.data.elastic}' | base64 -d)
438-
439- # Upgrade deployment with credentials
440- helm upgrade --install rag -n rag nvidia-blueprint-rag/ \
441- --set imagePullSecret.password=$NGC_API_KEY \
442- --set ngcApiSecret.password=$NGC_API_KEY \
443- --set envVars.APP_VECTORSTORE_USERNAME="elastic" \
444- --set envVars.APP_VECTORSTORE_PASSWORD="$ES_PASSWORD" \
445- --set ingestor-server.envVars.APP_VECTORSTORE_USERNAME="elastic" \
446- --set ingestor-server.envVars.APP_VECTORSTORE_PASSWORD="$ES_PASSWORD"
447- ```
446+ Edit [` values.yaml` ](../deploy/helm/nvidia-blueprint-rag/values.yaml) and set the following ** new** values for Elasticsearch authentication:
448447
449- **Option B: Update values.yaml (Recommended for Production)**
448+ - ** APP_VECTORSTORE_USERNAME:** set to ` " elastic" ` (the default Elasticsearch superuser).
449+ - ** APP_VECTORSTORE_PASSWORD:** set to the password you retrieved in step 4 (i.e. the value of ` $ES_PASSWORD ` , or paste the output of the ` kubectl get secret ... -o jsonpath=' {.data.elastic}' | base64 -d` command).
450450
451- Edit [`values.yaml`](../deploy/helm/nvidia-blueprint-rag/values.yaml) with the credentials :
451+ Example (replace ` your-retrieved-password ` with your actual ` $ES_PASSWORD ` ) :
452452
453453` ` ` yaml
454454# RAG Server configuration
455455envVars:
456456 APP_VECTORSTORE_URL: " http://rag-eck-elasticsearch-es-http:9200"
457457 APP_VECTORSTORE_NAME: " elasticsearch"
458458 APP_VECTORSTORE_USERNAME: " elastic"
459- APP_VECTORSTORE_PASSWORD: "your-retrieved-password"
459+ APP_VECTORSTORE_PASSWORD: " your-retrieved-password" # use $ES_PASSWORD from step 3
460460
461461# Ingestor Server configuration
462462ingestor-server:
463463 envVars:
464464 APP_VECTORSTORE_URL: "http://rag-eck-elasticsearch-es-http:9200"
465465 APP_VECTORSTORE_NAME: "elasticsearch"
466466 APP_VECTORSTORE_USERNAME: "elastic"
467- APP_VECTORSTORE_PASSWORD: "your-retrieved-password"
467+ APP_VECTORSTORE_PASSWORD: "your-retrieved-password" # use $ES_PASSWORD from step 3
468468` ` `
469469
470470Then apply the changes as described in [Change a Deployment](deploy-helm.md#change-a-deployment).
0 commit comments