Recipe for exposing Fleet server to outside of the Kubernetes cluster#8788
Merged
pebrc merged 2 commits intoelastic:mainfrom Aug 25, 2025
Merged
Recipe for exposing Fleet server to outside of the Kubernetes cluster#8788pebrc merged 2 commits intoelastic:mainfrom
pebrc merged 2 commits intoelastic:mainfrom
Conversation
Collaborator
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) ✅ license/snyk check is complete. No issues have been found. (View Details) |
pebrc
force-pushed
the
ext-fleet-agent-recipe
branch
from
a0d5010 to
13e16a7
Compare
pebrc
force-pushed
the
ext-fleet-agent-recipe
branch
from
13e16a7 to
4e4dfdd
Compare
Collaborator
Author
After thinking about it: if Fleet is supposed to be exposed externally then Elasticsearch needs to be exposed as well. Kibana could be argued can be left out but typically user will access it from outside the cluster so I left it in.
Unfortunately I don't recall what I had in mind there. I don't see any obvious simplification. |
Contributor
|
👀 |
barkbay
approved these changes
Aug 25, 2025
Contributor
barkbay
left a comment
barkbay
left a comment
There was a problem hiding this comment.
👍 Tested with Let's Encrypt and nginx ✅
pebrc
added a commit
to elastic/docs-content
that referenced
this pull request
Sep 22, 2025
Depends on elastic/cloud-on-k8s#8788 Add a new recipe for ECK managed Fleet servers after a recent support escalation that illustrated that users would benefit from additional guidance on how to set this up. > This example shows how to expose the Fleet Server to the outside world using a Kubernetes Ingress resource. The Fleet Server is configured to use custom TLS certificates, and all communications are secured with TLS. The same Fleet Server is also accessible from within the cluster, allowing agents to connect to it regardless of their location. Refer to the comments in the `fleet-ingress-setup.yaml` file for more details on how to set up the Ingress resource and TLS certificates to enable this configuration.
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Oct 31, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [eck-operator](https://github.com/elastic/cloud-on-k8s) | minor | `3.1.0` -> `3.2.0` | --- ### Release Notes <details> <summary>elastic/cloud-on-k8s (eck-operator)</summary> ### [`v3.2.0`](https://github.com/elastic/cloud-on-k8s/releases/tag/v3.2.0) [Compare Source](elastic/cloud-on-k8s@v3.1.0...v3.2.0) ### Elastic Cloud on Kubernetes 3.2.0 - [Quickstart guide](https://www.elastic.co/docs/deploy-manage/deploy/cloud-on-k8s#eck-quickstart) ##### Release Highlights ##### Automatic pod disruption budget (Enterprise feature) ECK now offers better out-of-the-box PodDisruptionBudgets that automatically keep your cluster available as Pods move across nodes. The new policy calculates the number of Pods per tier that can sustain replacement and automatically generates a PodDisruptionBudget for each tier, enabling the Elasticsearch cluster to vacate Kubernetes nodes more quickly, while considering cluster health, without interruption. ##### User Password Generation (Enterprise feature) ECK will now generate longer passwords by default for the administrative user of each Elasticsearch cluster. The password is 24 characters in length by default (can be configured to a maximum of 72 characters), incorporating alphabetic and numeric characters, to make password complexity stronger. ##### Features and enhancements - Enable certificate reloading for stack monitoring Beats [#​8833](elastic/cloud-on-k8s#8833) (issue: [#​5448](elastic/cloud-on-k8s#5448)) - Allow configuration of file-based password character set and length [#​8817](elastic/cloud-on-k8s#8817) (issues: [#​2795](elastic/cloud-on-k8s#2795), [#​8693](elastic/cloud-on-k8s#8693)) - Automatically set GOMEMLIMIT based on cgroups memory limits [#​8814](elastic/cloud-on-k8s#8814) (issue: [#​8790](elastic/cloud-on-k8s#8790)) - Introduce granular PodDisruptionBudgets based on node roles [#​8780](elastic/cloud-on-k8s#8780) (issue: [#​2936](elastic/cloud-on-k8s#2936)) ##### Fixes - Gate advanced Fleet config logic to Agent v8.13 and later [#​8869](elastic/cloud-on-k8s#8869) - Ensure Agent configuration and state persist across restarts in Fleet mode [#​8856](elastic/cloud-on-k8s#8856) (issue: [#​8819](elastic/cloud-on-k8s#8819)) - Do not set credentials label on Kibana config secret [#​8852](elastic/cloud-on-k8s#8852) (issue: [#​8839](elastic/cloud-on-k8s#8839)) - Allow elasticsearchRef.secretName in Kibana helm validation [#​8822](elastic/cloud-on-k8s#8822) (issue: [#​8816](elastic/cloud-on-k8s#8816)) ##### Documentation improvements - Update Logstash recipes from to filestream input [#​8801](elastic/cloud-on-k8s#8801) - Recipe for exposing Fleet server to outside of the Kubernetes cluster [#​8788](elastic/cloud-on-k8s#8788) - Clarify secretName restrictions [#​8782](elastic/cloud-on-k8s#8782) - Update ES\_JAVA\_OPTS comments and explain auto-heap behavior [#​8753](elastic/cloud-on-k8s#8753) ##### Dependency updates - github.com/gkampitakis/go-snaps v0.5.13 => v0.5.15 - github.com/hashicorp/vault/api v1.20.0 => v1.22.0 - github.com/KimMachineGun/automemlimit => v0.7.4 - github.com/prometheus/client\_golang v1.22.0 => v1.23.2 - github.com/prometheus/common v0.65.0 => v0.67.1 - github.com/sethvargo/go-password v0.3.1 => REMOVED - github.com/spf13/cobra v1.9.1 => v1.10.1 - github.com/spf13/pflag v1.0.6 => v1.0.10 - github.com/spf13/viper v1.20.1 => v1.21.0 - github.com/stretchr/testify v1.10.0 => v1.11.1 - golang.org/x/crypto v0.40.0 => v0.43.0 - k8s.io/api v0.33.2 => v0.34.1 - k8s.io/apimachinery v0.33.2 => v0.34.1 - k8s.io/client-go v0.33.2 => v0.34.1 - k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 => v0.0.0-20250604170112-4c0f3b243397 - sigs.k8s.io/controller-runtime v0.21.0 => v0.22.2 - sigs.k8s.io/controller-tools v0.18.0 => v0.19.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNTUuNCIsInVwZGF0ZWRJblZlciI6IjQxLjE1NS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJjaGFydCJdfQ==--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1911 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Configuring Fleet to be accessible from both inside as well as outside the Kubernetes cluster is a bit tricky. This recipe aims at highlighting some of the gotchas.
Opened as draft as I want to see if there are additional simplications (also I think exposing the other stack resources through Ingress might be a distraction that I need to reconsider)