elastic
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 2 deletions b/‎.gitignore‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎deploy-manage/api-keys/elastic-cloud-api-keys.md‎
Lines changed: 3 additions & 1 deletion b/‎deploy-manage/api-keys/elastic-cloud-api-keys.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎deploy-manage/deploy/cloud-enterprise/ece-networking-prereq.md‎
Lines changed: 16 additions & 1 deletion b/‎deploy-manage/deploy/cloud-enterprise/ece-networking-prereq.md‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎deploy-manage/deploy/cloud-on-k8s/pod-disruption-budget.md‎
Lines changed: 3 additions & 1 deletion b/‎deploy-manage/deploy/cloud-on-k8s/pod-disruption-budget.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎deploy-manage/monitor/autoops/autoops-sm-custom-certification.md‎
Lines changed: 115 additions & 0 deletions b/‎deploy-manage/monitor/autoops/autoops-sm-custom-certification.md‎
Lines changed: 115 additions & 0 deletions
diff --git a/‎deploy-manage/monitor/autoops/cc-cloud-connect-autoops-troubleshooting.md‎
Lines changed: 5 additions & 0 deletions b/‎deploy-manage/monitor/autoops/cc-cloud-connect-autoops-troubleshooting.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-private.md‎
Lines changed: 4 additions & 3 deletions b/‎deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-private.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-public.md‎
Lines changed: 5 additions & 4 deletions b/‎deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-public.md‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-private.md‎
Lines changed: 3 additions & 2 deletions b/‎deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-private.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-public.md‎
Lines changed: 4 additions & 2 deletions b/‎deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-public.md‎
Lines changed: 4 additions & 2 deletions
@@ -9,10 +9,10 @@
 # Add LLM/AI related files
 AGENTS.md
 .github/copilot-instructions.md
-.github/instructions/**.instructions.md
+.github/instructions
 CLAUDE.md
 GEMINI.md
 .cursor
 
 # VS code settings
-.vscode
+.vscode
@@ -34,9 +34,11 @@ These keys provides access to the API that enables you to manage your deployment
 
     ::::{note}
     When an API key is nearing expiration, Elastic sends an email to the creator of the API key and each of the operational contacts. When you use an API key to authenticate, the API response header `X-Elastic-Api-Key-Expiration` indicates the key’s expiration date. You can log this value to detect API keys that are nearing expiration.
+
+    Once an API key expires, it will automatically be removed from the API Keys tab.
     ::::
 
-5. Click **Create API key**, copy the generated API key, and store it in a safe place. You can also download the key as a CSV file.
+6. Click **Create API key**, copy the generated API key, and store it in a safe place. You can also download the key as a CSV file.
 
 The API key needs to be supplied in the `Authorization` header of a request, in the following format:
 
 
@@ -16,9 +16,9 @@ For versions 2.4.0 and 2.4.1, IPv6 should remain enabled on any host with the Pr
 
 * [Inbound traffic](#ece-inbound)
 * [Outbound traffic](#ece-outbound)
+* [Container communication on the same host](#ece-container-communication-on-same-host)
 * [Hosts in multiple data centers](#ece-multiple-data-centers)
 
-
 ## Inbound traffic [ece-inbound]
 
 When there are multiple hosts for each role, the inbound networking and ports can be represented by the following diagram:
@@ -68,6 +68,21 @@ Outbound traffic must also permit connections to the [snapshot repositories](../
 ::::
 
 
+## Container communication on the same host [ece-container-communication-on-same-host]
+
+The following ports need to be open for containers communicating with the host or with each other on the same host:
+
+| Port(s) | Purpose | Host role |
+| --- | --- | --- |
+| 53 | DNS resolver | All roles |
+| 2180 | ZooKeeper admin port | All roles |
+| 2375 | Docker admin port | All roles |
+| 2191-2199 | Debug ports | Director |
+| 5000-5010 | Java Virtual Machine (JVM)/debug ports | All roles |
+| 8080-8084 | Health/monitoring ports | All roles |
+| 9000, 9043 | Internal proxy use | Proxy |
+| 9244 | Internal proxy port | All roles |
+
 
 ## Hosts in multiple data centers [ece-multiple-data-centers]
 
 
@@ -19,12 +19,13 @@ In {{eck}} 3.1 and earlier, all clusters follow the [default PodDisruptionBudget
 :::
 
 ## Advanced rules (Enterprise license required)
+
 ```{applies_to}
 deployment:
   eck: ga 3.2
 ```
 
-In Elasticsearch clusters managed by ECK and licensed with an Enterprise license, a separate PDB is created for each type of `nodeSet` defined in the manifest. This setup allows Kubernetes upgrade or maintenance operations to be executed more quickly. Each PDB permits one Elasticsearch Pod per `nodeSet` to be disrupted at a time, provided the Elasticsearch cluster maintains the health status described in the following table:
+In {{es}} clusters managed by ECK and licensed with an Enterprise license, PDBs are created based on {{es}} node roles, allowing Kubernetes upgrade or maintenance operations to be executed more quickly. Multiple `nodeSets` with the same roles, such as `master` or `ml`, are combined into a single PDB. Each PDB permits one {{es}} Pod to be disrupted at a time, provided the {{es}} cluster maintains the health status described in the following table.
 
 | Role | Cluster health required | Notes |
 |------|------------------------|--------|
@@ -40,6 +41,7 @@ In Elasticsearch clusters managed by ECK and licensed with an Enterprise license
 Single-node clusters are not considered highly available and can always be disrupted regardless of license type.
 
 ## Default rules (Basic license) [default-pdb-rules]
+
 :::{note}
 In {{eck}} 3.1 and earlier, all clusters follow this behavior regardless of license type.
 :::
 
@@ -0,0 +1,115 @@
+---
+applies_to:
+  deployment:
+    self:
+    ece:
+    eck:
+navigation_title: Configure Elastic agent with custom certificate
+products:
+  - id: cloud-kubernetes
+  - id: cloud-enterprise
+---
+
+# Configure AutoOps {{agent}} with a custom SSL certificate 
+
+{{agent}} might not recognize your SSL certificate if it is signed by a custom or internal Certificate Authority (CA). In this case, {{agent}} will fail to connect your self-managed cluster to AutoOps and you might encounter an error like the following:
+
+```sh
+... x509: certificate signed by unknown authority ...
+```
+
+This error occurs because the machine where you have installed {{agent}} does not trust your custom or internal CA. To fix this error, follow the steps on this page to configure the agent with your custom SSL certificate.
+
+## Add custom certificate path to the `elastic-agent.yml` file
+
+To configure {{agent}} with your custom SSL certificate, add the path to your certificate to the [`elastic-agent.yml`](/reference/fleet/configure-standalone-elastic-agents.md) policy file on the host machine where the agent is installed. 
+
+Complete the following steps:
+
+1. On the host machine, open the `elastic-agent.yml` file. The default location is `/opt/Elastic/Agent/elastic-agent.yml`.
+2. In the `elastic-agent.yml` file, locate the `receivers.metricbeatreceiver.metricbeat.modules` section. 
+3. In this section, there are two modules configured for `autoops_es`, one for metrics and one for templates. \
+  Add the `ss.certificate_authorities` setting to both these modules using one of the following options:
+
+    :::::{tab-set}
+    :group: add-cert-auth-setting-to-module
+
+    ::::{tab-item} Use environment variable (recommended)
+    :sync: env-variable
+
+    We recommend using this method because it's flexible and keeps sensitive paths out of your main configuration.
+
+    Add the following line to both `autoops_es` modules:
+
+    ```yaml
+    ssl.certificate_authorities:
+      - ${env:AUTOOPS_CA_CERT}
+    ```
+    After adding this line to both modules, make sure the` AUTOOPS_CA_CERT` environment variable is set on the host machine and contains the full path to your certificate file (for example: `/etc/ssl/certs/my_internal_ca.crt`).
+    ::::
+
+    ::::{tab-item} Hardcode file path
+    :sync: hardcode-file-path
+
+    Use this method to specify the path directly. This method is often simpler for fixed or test environments.
+
+    Edit the following line with the path to your CA and add it to both `autoops_es` modules:
+
+    ```yaml
+    ssl.certificate_authorities:
+      - "/path/to/your/ca.crt"
+    ```
+    The following codeblock shows what your final configuration should look like when you use the hardcode method.
+
+    ```yaml
+    receivers:
+      metricbeatreceiver:
+        metricbeat:
+          modules:
+            # Metrics
+            - module: autoops_es
+              hosts: ${env:AUTOOPS_ES_URL}
+              period: 10s
+              metricsets:
+                - cat_shards
+                - cluster_health
+                - cluster_settings
+                - license
+                - node_stats
+                - tasks_management
+              # --- ADD THIS LINE ---
+              ssl.certificate_authorities:
+                - "/path/to/your/ca.crt"
+
+            # Templates
+            - module: autoops_es
+              hosts: ${env:AUTOOPS_ES_URL}
+              period: 24h
+              metricsets:
+                - cat_template
+                - component_template
+                - index_template
+              # --- ADD THIS LINE ---
+              ssl.certificate_authorities:
+                - "/path/to/your/ca.crt"
+    ```
+
+    ::::
+
+    :::::
+
+4. Save your changes to the `elastic-agent.yml` file.
+5. Restart {{agent}} so that the new settings can take effect.\
+    In most systemd-based Linux environments, you can use the following command to restart the agent:
+    ```bash
+    sudo systemctl restart elastic-agent
+    ```
+6. Check the agent logs again to confirm that the error is gone and that {{agent}} has successfully connected your self-managed cluster to AutoOps. 
+
+    :::{note}
+    If you encounter the following error in the agent logs, there might be a formatting issue in the `elastic-agent.yml` file.
+    ```sh
+    ... can not convert 'object' into 'string' ... ssl.certificate_authorities ...
+    ```
+    To fix this error, ensure your configuration is correctly formatted. The `ss.certificate_authorities` setting must be a list item (indicated by the `-`) containing one or more strings (the respective path to your certification files).
+    :::
@@ -23,6 +23,7 @@ Use this guide to troubleshoot any issues you may encounter.
 * [My cluster was disconnected from {{ecloud}} and I want to reconnect it.](#disconnected-cluster)
 * [After running the installation command, I can't move on to the next steps.](#next-steps)
 * [My organization's firewall may be preventing {{agent}} from collecting and sending metrics.](#firewall)
+* [{{agent}} is failing to connect because it doesn't recognize my SSL certificate.](#custom-cert)
 
 $$$single-cloud-org$$$**I’m trying to create a Cloud organization, but I’m already part of a different one.**
 :   :::{include} /deploy-manage/monitor/_snippets/single-cloud-org.md
@@ -166,6 +167,9 @@ $$$firewall$$$**My organization's firewall may be preventing {{agent}} from coll
     If you are using Docker, you may need to complete this configuration directly via the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` environment variables.
     :::
 
+$$$custom-cert$$$**{{agent}} is failing to connect because it doesn't recognize my SSL certificate.**
+:   If {{agent}} is failing to connect your self-managed cluster to AutoOps because it doesn't recognize your SSL certificate, refer to [](/deploy-manage/monitor/autoops/autoops-sm-custom-certification.md). 
+
 ## Potential errors
 
 The following table shows the errors you might encounter if something goes wrong while you set up and use AutoOps on your clusters.
@@ -184,3 +188,4 @@ The following table shows the errors you might encounter if something goes wrong
 | `VERSION_MISMATCH` | {{es}} version is unsupported | Upgrade your cluster to a [supported version](https://www.elastic.co/support/eol). |
 | `UNKNOWN_ERROR` | Installation failed | {{agent}} couldn't be installed due to an unknown issue. Consult the troubleshooting guide or contact [Elastic support](https://support.elastic.co/) for more help. |
 | | Failed to register Cloud Connected Mode: cluster license type is not supported | The cluster you are trying to connect doesn't have the required license to connect to AutoOps. For more information, refer to the [prerequisites](/deploy-manage/monitor/autoops/cc-connect-self-managed-to-autoops.md#prerequisites). |
+| `x509` | Certificate signed by unknown authority | {{agent}} couldn't connect. SSL certificate signed by unknown authority. |
@@ -2,6 +2,7 @@
 This snippet is in use in the following locations:
 - ece-remote-cluster-self-managed.md
 - ece-remote-cluster-other-ece.md
+- ece-enable-ccs-for-eck.md
 
 It requires remote_type substitution to be defined
 -->
@@ -10,7 +11,7 @@ It requires remote_type substitution to be defined
 
     Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
 
-3. Access the **Security** page of the deployment.
+3. From the navigation menu, select **Security**.
 4. Select **Remote Connections > Add trusted environment** and choose **{{remote_type}}**. Then click **Next**.
 5. Select **API keys** as authentication mechanism and click **Next**.
 6. When asked whether the Certificate Authority (CA) of the remote environment’s proxy or load-balancing infrastructure is public, select **No, it is private**.
@@ -21,13 +22,13 @@ It requires remote_type substitution to be defined
         * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
         * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
 
-    2. Click **Add** to save the API key to the keystore.
+    2. Click **Add** to save the API key.
     3. Repeat these steps for each API key you want to add. For example, if you want to use several clusters of the remote environment for CCR or CCS.
 
 8. Add the CA certificate of the remote environment.
 9. Provide a name for the trusted environment. That name will appear in the trust summary of your deployment's **Security** page.
 10. Select **Create trust** to complete the configuration.
-11. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**.
+11. Restart the local deployment to reload the new settings. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**.
 
     ::::{note}
     If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
 
@@ -4,23 +4,24 @@ This snippet is in use in the following locations:
 - ece-remote-cluster-same-ece.md
 - ece-remote-cluster-other-ece.md
 - ece-remote-cluster-ece-ess.md
+- ece-enable-ccs-for-eck.md
 -->
 1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
 2. On the **Deployments** page, select your deployment.
 
     Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
 
-3. From the deployment menu, select **Security**.
+3. From the navigation menu, select **Security**.
 4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**.
 
     1. Fill both fields.
 
-        * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
+        * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
         * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
 
-    2. Click **Add** to save the API key to the keystore.
+    2. Click **Add** to save the API key.
 
-5. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page (named after your deployment's name), locate the **Actions** menu, and select **Restart {{es}}**.
+5. Restart the local deployment to reload the new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**.
 
     ::::{note}
     If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
 
@@ -2,6 +2,7 @@
 This snippet is in use in the following locations:
 - ec-remote-cluster-self-managed.md
 - ec-remote-cluster-ece.md
+- ec-enable-ccs-for-eck.md
 
 It requires remote_type substitution to be defined
 -->
@@ -21,13 +22,13 @@ It requires remote_type substitution to be defined
         * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
         * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
 
-    2. Click **Add** to save the API key to the keystore.
+    2. Click **Add** to save the API key.
     3. Repeat these steps for each API key you want to add. For example, if you want to use several clusters of the remote environment for CCR or CCS.
 
 8. Add the CA certificate of the remote environment.
 9. Provide a name for the trusted environment. That name will appear in the trust summary of your deployment's **Security** page.
 10. Select **Create trust** to complete the configuration.
-11. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**.
+11. Restart the local deployment to reload the new settings. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**.
 
     ::::{note}
     If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
 
@@ -4,6 +4,8 @@ This snippet is in use in the following locations:
 - ec-remote-cluster-same-ess.md
 - ec-remote-cluster-other-ess.md
 - ec-remote-cluster-ece.md
+- ec-enable-ccs-for-eck.md
+
 -->
 1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
 2. On the home page, find your hosted deployment and select **Manage** to access it directly. Or, select **Hosted deployments** to go to the **Hosted deployments** page to view all of your deployments.
@@ -15,12 +17,12 @@ This snippet is in use in the following locations:
 
     1. Fill both fields.
 
-        * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
+        * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
         * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
 
     2. Click **Add** to save the API key.
 
-5. Restart the local deployment to reload the new setting. To do that, go to the deployment's main page (named after your deployment's name), locate the **Actions** menu, and select **Restart {{es}}**.
+5. Restart the local deployment to reload the new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**.
 
     ::::{note}
     If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.