Merge branch 'main' into enhance-and-restructure-autoops-section

Author: wajihaparvez

.gitignore

@@ -9,10 +9,10 @@
 # Add LLM/AI related files
 AGENTS.md
 .github/copilot-instructions.md
-.github/instructions/**.instructions.md
+.github/instructions
 CLAUDE.md
 GEMINI.md
 .cursor
 
 # VS code settings
-.vscode
+.vscode

deploy-manage/api-keys/elastic-cloud-api-keys.md

@@ -34,9 +34,11 @@ These keys provides access to the API that enables you to manage your deployment
 
     ::::{note}
     When an API key is nearing expiration, Elastic sends an email to the creator of the API key and each of the operational contacts. When you use an API key to authenticate, the API response header `X-Elastic-Api-Key-Expiration` indicates the key’s expiration date. You can log this value to detect API keys that are nearing expiration.
+
+    Once an API key expires, it will automatically be removed from the API Keys tab.
     ::::
 
-5. Click **Create API key**, copy the generated API key, and store it in a safe place. You can also download the key as a CSV file.
+6. Click **Create API key**, copy the generated API key, and store it in a safe place. You can also download the key as a CSV file.
 
 The API key needs to be supplied in the `Authorization` header of a request, in the following format:
 

deploy-manage/deploy/cloud-on-k8s/pod-disruption-budget.md

@@ -19,12 +19,13 @@ In {{eck}} 3.1 and earlier, all clusters follow the [default PodDisruptionBudget
 :::
 
 ## Advanced rules (Enterprise license required)
+
 ```{applies_to}
 deployment:
   eck: ga 3.2
 ```
 
-In Elasticsearch clusters managed by ECK and licensed with an Enterprise license, a separate PDB is created for each type of `nodeSet` defined in the manifest. This setup allows Kubernetes upgrade or maintenance operations to be executed more quickly. Each PDB permits one Elasticsearch Pod per `nodeSet` to be disrupted at a time, provided the Elasticsearch cluster maintains the health status described in the following table:
+In {{es}} clusters managed by ECK and licensed with an Enterprise license, PDBs are created based on {{es}} node roles, allowing Kubernetes upgrade or maintenance operations to be executed more quickly. Multiple `nodeSets` with the same roles, such as `master` or `ml`, are combined into a single PDB. Each PDB permits one {{es}} Pod to be disrupted at a time, provided the {{es}} cluster maintains the health status described in the following table.
 
 | Role | Cluster health required | Notes |
 |------|------------------------|--------|
@@ -40,6 +41,7 @@ In Elasticsearch clusters managed by ECK and licensed with an Enterprise license
 Single-node clusters are not considered highly available and can always be disrupted regardless of license type.
 
 ## Default rules (Basic license) [default-pdb-rules]
+
 :::{note}
 In {{eck}} 3.1 and earlier, all clusters follow this behavior regardless of license type.
 :::

deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-private.md

@@ -2,6 +2,7 @@
 This snippet is in use in the following locations:
 - ece-remote-cluster-self-managed.md
 - ece-remote-cluster-other-ece.md
+- ece-enable-ccs-for-eck.md
 
 It requires remote_type substitution to be defined
 -->
@@ -10,7 +11,7 @@ It requires remote_type substitution to be defined
 
     Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
 
-3. Access the **Security** page of the deployment.
+3. From the navigation menu, select **Security**.
 4. Select **Remote Connections > Add trusted environment** and choose **{{remote_type}}**. Then click **Next**.
 5. Select **API keys** as authentication mechanism and click **Next**.
 6. When asked whether the Certificate Authority (CA) of the remote environment’s proxy or load-balancing infrastructure is public, select **No, it is private**.
@@ -21,13 +22,13 @@ It requires remote_type substitution to be defined
         * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
         * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
 
-    2. Click **Add** to save the API key to the keystore.
+    2. Click **Add** to save the API key.
     3. Repeat these steps for each API key you want to add. For example, if you want to use several clusters of the remote environment for CCR or CCS.
 
 8. Add the CA certificate of the remote environment.
 9. Provide a name for the trusted environment. That name will appear in the trust summary of your deployment's **Security** page.
 10. Select **Create trust** to complete the configuration.
-11. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**.
+11. Restart the local deployment to reload the new settings. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**.
 
     ::::{note}
     If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.

deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-public.md

@@ -4,23 +4,24 @@ This snippet is in use in the following locations:
 - ece-remote-cluster-same-ece.md
 - ece-remote-cluster-other-ece.md
 - ece-remote-cluster-ece-ess.md
+- ece-enable-ccs-for-eck.md
 -->
 1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
 2. On the **Deployments** page, select your deployment.
 
     Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
 
-3. From the deployment menu, select **Security**.
+3. From the navigation menu, select **Security**.
 4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**.
 
     1. Fill both fields.
 
-        * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
+        * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
         * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
 
-    2. Click **Add** to save the API key to the keystore.
+    2. Click **Add** to save the API key.
 
-5. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page (named after your deployment's name), locate the **Actions** menu, and select **Restart {{es}}**.
+5. Restart the local deployment to reload the new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**.
 
     ::::{note}
     If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.

deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-private.md

@@ -2,6 +2,7 @@
 This snippet is in use in the following locations:
 - ec-remote-cluster-self-managed.md
 - ec-remote-cluster-ece.md
+- ec-enable-ccs-for-eck.md
 
 It requires remote_type substitution to be defined
 -->
@@ -21,13 +22,13 @@ It requires remote_type substitution to be defined
         * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
         * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
 
-    2. Click **Add** to save the API key to the keystore.
+    2. Click **Add** to save the API key.
     3. Repeat these steps for each API key you want to add. For example, if you want to use several clusters of the remote environment for CCR or CCS.
 
 8. Add the CA certificate of the remote environment.
 9. Provide a name for the trusted environment. That name will appear in the trust summary of your deployment's **Security** page.
 10. Select **Create trust** to complete the configuration.
-11. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**.
+11. Restart the local deployment to reload the new settings. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**.
 
     ::::{note}
     If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.

deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-public.md

@@ -4,6 +4,8 @@ This snippet is in use in the following locations:
 - ec-remote-cluster-same-ess.md
 - ec-remote-cluster-other-ess.md
 - ec-remote-cluster-ece.md
+- ec-enable-ccs-for-eck.md
+
 -->
 1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
 2. On the home page, find your hosted deployment and select **Manage** to access it directly. Or, select **Hosted deployments** to go to the **Hosted deployments** page to view all of your deployments.
@@ -15,12 +17,12 @@ This snippet is in use in the following locations:
 
     1. Fill both fields.
 
-        * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
+        * For the **Remote cluster name**, enter the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
         * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
 
     2. Click **Add** to save the API key.
 
-5. Restart the local deployment to reload the new setting. To do that, go to the deployment's main page (named after your deployment's name), locate the **Actions** menu, and select **Restart {{es}}**.
+5. Restart the local deployment to reload the new setting. To do that, go to the deployment's main page, locate the **Actions** menu, and select **Restart {{es}}**.
 
     ::::{note}
     If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.

deploy-manage/remote-clusters/_snippets/eck_expose_transport.md

@@ -0,0 +1,15 @@
+Expose the transport service (defaults to port `9300`) of your ECK cluster to allow external {{es}} clusters to connect:
+
+```yaml
+apiVersion: elasticsearch.k8s.elastic.co/v1
+kind: Elasticsearch
+metadata:
+  name: <cluster-name>
+spec:
+  transport:
+    service:
+      spec:
+        type: LoadBalancer <1>
+```
+
+1. On cloud providers which support external load balancers, setting the type field to `LoadBalancer` provisions a load balancer for your service. Alternatively, expose the service `<cluster-name>-es-transport` through one of the Kubernetes Ingress controllers that support TCP services.

deploy-manage/remote-clusters/_snippets/eck_rcs_connect_intro.md

@@ -0,0 +1,5 @@
+On the local deployment, add the remote ECK cluster using {{kib}} or the {{es}} API with the following connection settings:
+
+* **Remote address**: Use the FQDN or IP address of the LoadBalancer service, or similar resource, you created to expose the remote cluster server interface (for API key-based authentication) or the transport interface (for TLS certificate-based authentication).
+
+* **TLS server name**: You can try leaving this field empty first. If the connection fails, and your environment is presenting the ECK-managed certificates during the TLS handshake, use `<cluster-name>-es-remote-cluster.<namespace>.svc` as the server name. For example, for a cluster named `quickstart` in the `default` namespace, use `quickstart-es-remote-cluster.default.svc`.

deploy-manage/remote-clusters/_snippets/eck_rcs_enable.md

@@ -0,0 +1,23 @@
+By default, the remote cluster server interface is deactivated on ECK-managed clusters. To use the API key–based security model for cross-cluster connections, you must first enable it on the remote {{es}} cluster:
+
+```yaml subs=true
+apiVersion: elasticsearch.k8s.elastic.co/v1
+kind: Elasticsearch
+metadata:
+  name: <cluster-name>
+  namespace: <namespace>
+spec:
+  version: {{version.stack}}
+  remoteClusterServer:
+    enabled: true
+  nodeSets:
+    - name: default
+      count: 3
+      ...
+      ...
+```
+
+::::{note}
+Enabling the remote cluster server triggers a restart of the {{es}} cluster.
+::::
+