reviewing suggestions applied

eedugon · eedugon · commit 67151cc3ea55 · 2025-11-24T11:36:13.000+01:00
diff --git a/deploy-manage/remote-clusters/_snippets/eck_rcs_connect_intro.md b/deploy-manage/remote-clusters/_snippets/eck_rcs_connect_intro.md
@@ -1,10 +1,5 @@
-On the local deployment, add the remote ECK cluster using {{kib}} or the {{es}} API.
-
-::::{note}
-When configuring the remote cluster connection:
+On the local deployment, add the remote ECK cluster using {{kib}} or the {{es}} API with the following connection settings:
 
 * **Remote address**: Use the FQDN or IP address of the LoadBalancer service, or similar resource, you created to expose the remote cluster server interface (for API key-based authentication) or the transport interface (for TLS certificate-based authentication).
 
 * **TLS server name**: You can try leaving this field empty first. If the connection fails, and your environment is presenting the ECK-managed certificates during the TLS handshake, use `<cluster-name>-es-remote-cluster.<namespace>.svc` as the server name. For example, for a cluster named `quickstart` in the `default` namespace, use `quickstart-es-remote-cluster.default.svc`.
-::::
-
diff --git a/deploy-manage/remote-clusters/_snippets/eck_rcs_expose.md b/deploy-manage/remote-clusters/_snippets/eck_rcs_expose.md
@@ -1,36 +1,52 @@
-When the remote cluster server is enabled, ECK automatically creates a Kubernetes service named `<cluster-name>-es-remote-cluster` that exposes the server internally on port `9443`:
+When the remote cluster server is enabled, ECK automatically creates a Kubernetes service named `<cluster-name>-es-remote-cluster` that exposes the server internally on port `9443`.
 
-```sh
-quickstart-es-remote-cluster       ClusterIP      None             <none>         9443/TCP            4h13m
-```
+To allow clusters running outside your Kubernetes environment to connect to this {{es}} cluster, you must expose this service externally. The way to expose this service depends on your ECK version.
+
+::::{applies-switch}
 
-To allow other clusters running outside your Kubernetes environment to connect, you must expose this service externally. As of ECK {{version.eck}}, you cannot customize the service that ECK generates for the remote cluster interface, but you can create your own `LoadBalancer` service, `Ingress` object, or use another method available in your environment.
+:::{applies-item} eck: ga 3.0
 
-For example, the following command creates a service named `quickstart-es-remote-cluster-lb`, similar to the managed `quickstart-es-remote-cluster` but of type `LoadBalancer`.
+In ECK 3.2 and earlier you cannot customize the service that ECK generates for the remote cluster interface, but you can create your own `LoadBalancer` service, `Ingress` object, or use another method available in your environment.
+
+For example, for a cluster named `quickstart`, the following command creates a separate `LoadBalancer` service named `quickstart-es-remote-cluster-lb`, pointing to the ECK-managed service `quickstart-es-remote-cluster`:
 
 ```sh
 kubectl expose service quickstart-es-remote-cluster \
   --name=quickstart-es-remote-cluster-lb \
   --type=LoadBalancer \ <1>
   --port=9443 --target-port=9443
 ```
-
 1. On cloud providers that support external load balancers, setting the type to `LoadBalancer` provisions a load balancer for your service. Alternatively, expose the service `<cluster-name>-es-remote-cluster` through one of the Kubernetes Ingress controllers that support TCP services.
 
+:::
 
-:::{admonition} About exposing the service and TLS certificates
-When exposing the remote cluster service, determine which TLS certificate will be presented to clients and whether a certificate authority (CA) is required to establish trust. This depends on how traffic to port `9443` is routed in your environment and which component terminates the TLS connection:
-
-* **{{es}} TLS termination**
-
-  If the connection reaches the {{es}} Pods without intermediate TLS termination, the {{es}} nodes present transport certificates managed by ECK. The local cluster must therefore trust these certificates by including the ECK-managed transport CA, which you can retrieve in the next section.
-
-  This setup is typical when using standard `LoadBalancer` services provided by most cloud providers.
-
-* **External TLS termination**
+:::{applies-item} eck: ga 3.3
+
+Starting in ECK 3.3, you can customize the service used for the remote cluster interface directly in the {{es}} resource. This allows you to choose the `Service` type or apply any supported `spec` fields without creating a separate Kubernetes Service.
+
+For example, the manifest below configures the remote cluster service as a `LoadBalancer`:
+
+```yaml
+apiVersion: elasticsearch.k8s.elastic.co/v1
+kind: Elasticsearch
+metadata:
+  name: <cluster-name>
+  namespace: <namespace>
+spec:
+  version: 9.2.1
+  remoteClusterServer:
+    enabled: true
+    service:
+      type: LoadBalancer <1>
+  nodeSets:
+    - name: default
+      count: 3
+      ...
+      ...
+```
+1. On cloud providers that support external load balancers, setting the type to `LoadBalancer` provisions a load balancer for your service. Alternatively, expose the service `<cluster-name>-es-remote-cluster` through one of the Kubernetes Ingress controllers that support TCP services.
 
-  If the connection to port `9443` of your {{es}} cluster is handled by an external load balancer, Ingress controller, or another proxy that performs SSL termination with its own certificates, use the CA associated with that component if it's signed by a private CA.
-  
-  If the external TLS termination uses a publicly trusted certificate, no additional CA is needed.
+You can also configure other service types (such as `NodePort`) or attach annotations required by your environment.
 :::
+::::
 
diff --git a/deploy-manage/remote-clusters/_snippets/eck_rcs_retrieve_ca.md b/deploy-manage/remote-clusters/_snippets/eck_rcs_retrieve_ca.md
@@ -1,23 +1,17 @@
 The certificate authority (CA) used by ECK to issue certificates for the remote cluster server interface is stored in the `ca.crt` key of the secret named `<cluster_name>-es-transport-certs-public`.
 
-If the external connections reach the {{es}} Pods on port `9443` without any intermediate TLS termination, you must retrieve this CA, as it will be required in the local cluster configuration to establish trust.
+If the external connections reach the {{es}} Pods on port `9443` without any intermediate TLS termination, you need to retrieve this CA because it will be required in the local cluster configuration to establish trust.
 
-For example, to save the transport CA certificate of a cluster named `quickstart` into a local file, run the following command:
+If TLS is terminated by any intermediate component and the certificate presented is not the ECK-managed one, use the CA associated with that component, or omit the CA entirely if it uses a publicly trusted certificate.
+
+To save the transport CA certificate of a cluster named `quickstart` into a local file, run the following command:
 
 ```sh
 kubectl get secret quickstart-es-transport-certs-public \
 -o go-template='{{index .data "ca.crt" | base64decode}}' > eck_transport_ca.crt
 ```
 
-You can verify that the file contains a valid CA certificate by running the following command:
-
-```bash
-openssl x509 -in eck_transport_ca.crt -noout -text
-```
-
 ::::{important}
-ECK-managed CA certificates are automatically rotated after one year by default, but you can [configure](/deploy-manage/deploy/cloud-on-k8s/configure-eck.md) a different validity period.
-
-When the CA certificate is rotated, ensure that this CA is updated in all environments where it's used to preserve trust.
+ECK-managed CA certificates are automatically rotated after one year by default, but you can [configure](/deploy-manage/deploy/cloud-on-k8s/configure-eck.md) a different validity period. When the CA certificate is rotated, ensure that this CA is updated in all environments where it's used to preserve trust.
 ::::
 
