ECPTRAFFIC-1376: Update traffic filter docs to remove traffic filter inconsistency #2063
Conversation
|
|
||
| ::::{note} | ||
| When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. | ||
| When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections. |
There was a problem hiding this comment.
It may be helpful to mention which version of ECE deprecates the TLS certificate method (RCS 1.0) to provide better clarity for users.
There was a problem hiding this comment.
I was mostly just adding that to clarify it's the same as the deprecation on the auth page. I didn't want to be too redundant since the source of truth page for that deprecation exists elsewhere as shown. Do you think I should add it in multiple places?
There was a problem hiding this comment.
I think it would be helpful to mention the deprecated version here or include a link to the relevant document, but I’ll defer to @elastic/admin-docs for their recommendation.
|
Overall, the content looks good from a technical perspective, and I just have a minor comment. It would be helpful to get feedback from @igor-kupczynski as well to double-check if anything might be missing. |
dnraitzyk
force-pushed
the
ECPTRAFFIC-1376
branch
from
618faa5 to
a5a1b35
Compare
There was a problem hiding this comment.
I cannot change it as it's not part of this PR, but the following should also be updated, as it explicitly mentions TLS cert authentication:
For remote clusters configured using TLS certificate authentication, traffic filtering can be enabled to restrict access to deployments that are used as a local or remote cluster without any impact to cross-cluster search or cross-cluster replication.
I'd suggest something similar to my previous comment.
There was a problem hiding this comment.
What did you mean here?
There was a problem hiding this comment.
Sorry I'm late here @dnraitzyk . It wasn't important.
What I meant is that this PR removes the inconsistency of specifying that only TLS certificate authentication was supported for traffic filters + remote cluster, and we have left a paragraph that explicitly mentions TLS cert authentication:
For remote clusters configured using TLS certificate authentication, traffic filtering can be enabled....
The using TLS certificate authentication should probably be removed because API keys are also supported.
Anyway it's not a big deal and we can change it in another PR :)
There was a problem hiding this comment.
Pull Request Overview
This PR removes an incorrect limitation that API key authentication cannot be used with traffic filters across various remote cluster documentation and clarifies that uploading the region’s TLS certificate is required regardless of auth method.
- Removed outdated bullet stating API key auth is incompatible with traffic filters
- Updated CCS docs to reflect traffic filtering support with API keys
- Clarified TLS certificate upload note applies to both API key and deprecated TLS cert auth
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| deploy-manage/remote-clusters/ece-enable-ccs.md | Clarified TLS certificate requirement for remote connections and updated note |
| deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md | Removed incorrect limitation on API key with traffic filters |
| deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md | Removed incorrect limitation on API key with traffic filters |
| deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md | Removed incorrect limitation on API key with traffic filters |
| deploy-manage/remote-clusters/ec-remote-cluster-ece.md | Removed incorrect limitation on API key with traffic filters |
| deploy-manage/remote-clusters/ec-enable-ccs.md | Updated traffic filtering description to apply regardless of auth method |
Comments suppressed due to low confidence (1)
deploy-manage/remote-clusters/ece-enable-ccs.md:76
- [nitpick] The clarification about auth methods is repeated in two nearly identical sentences. Consider consolidating into a single clear sentence to avoid redundancy.
When setting up traffic filters for a remote connection to an {{ece}} environment, you also need to upload the region’s TLS certificate of the local cluster to the {{ece}} environment’s proxy. You can find that region’s TLS certificate in the **Security** page of any deployment of the environment initiating the remote connection. This is regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections. This applies regardless of whether you are using API key or TLS Certificates (deprecated) to authenticate remote connections.
4 participants
Updated the documentation for using traffic filters with remote connections that stated that traffic filters cannot be used with API key auth. This is incorrect and left users with no option given that TLS Certificates are deprecated and traffic filters are not enforced for that auth method anyway. I also added clarification for the region TLS cert callout in the event there is confusion with that only being relevant for TLS Certificate auth (deprecated).
Ticket: https://elasticco.atlassian.net/browse/ECPTRAFFIC-1376