Remove curl -k from examples and add certificate guidance#6078
Merged
Conversation
Contributor
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
marciw
changed the title
…gnostic Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…tash diagnostic" This reverts commit 0062a02.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates documentation examples to avoid recommending curl -k/--insecure by default, and adds guidance on using CA certificates (or using --insecure only for testing) to address issue #5776.
Changes:
- Removes
-k/--insecurefromcurlcommand examples across docs. - Adds
tip/importantadmonitions explaining secure TLS options (--cacert) and the testing-only escape hatch (--insecure). - Adjusts a few pages’ surrounding wording/structure to accommodate the new guidance.
Reviewed changes
Copilot reviewed 29 out of 29 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| troubleshoot/kibana/capturing-diagnostics.md | Adds TLS tip and removes -k from Kibana diagnostic curl example. |
| troubleshoot/kibana/alerts.md | Adds TLS tip and removes -k from connector execute curl example. |
| troubleshoot/ingest/logstash/diagnostic.md | Adds TLS tip and removes -k from Logstash diagnostic curl example. |
| troubleshoot/elasticsearch/unable-to-retrieve-node-fs-stats.md | Replaces insecure TLS testing snippet with tip + --cacert guidance. |
| troubleshoot/elasticsearch/diagnostic.md | Adds TLS tip and removes -k from Elasticsearch diagnostic curl example. |
| explore-analyze/alerting/alerts/alerting-troubleshooting.md | Adds TLS tip and removes -k from connector execute curl example. |
| deploy-manage/upgrade/orchestrator/upgrade-cloud-enterprise.md | Adds ECE-focused important TLS guidance; removes -k from license check example. |
| deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md | Adds ECE TLS important admonition; removes -k from multiple API examples. |
| deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md | Adds ECE TLS important admonition; removes -k from trust API example. |
| deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md | Adds TLS tip admonition; removes -k from hosted/ESS remote cluster example. |
| deploy-manage/monitor/autoops/autoops-sm-troubleshoot-firewalls.md | Adds TLS tip admonition and updates troubleshooting table guidance around --insecure. |
| deploy-manage/deploy/cloud-on-k8s/quickstart-standalone.md | Adds TLS tip admonition; removes -k from ECK quickstart curl. |
| deploy-manage/deploy/cloud-on-k8s/quickstart-beats.md | Adds TLS tip admonition; removes -k from ECK beats quickstart curl. |
| deploy-manage/deploy/cloud-on-k8s/elasticsearch-deployment-quickstart.md | Adds TLS tip admonition; removes -k and updates surrounding TLS wording. |
| deploy-manage/deploy/cloud-enterprise/switch-from-apm-to-integrations-server-payload.md | Adds ECE TLS important admonition; removes -k from deployment API example. |
| deploy-manage/deploy/cloud-enterprise/manage-elastic-stack-versions.md | Replaces prior -k mention with ECE TLS important admonition. |
| deploy-manage/deploy/cloud-enterprise/ece-integrations-server-api-example.md | Adds ECE TLS important admonition; removes -k from deployment API example. |
| deploy-manage/deploy/cloud-enterprise/ece-configuring-ece-tag-allocators.md | Adds ECE TLS important admonition; removes -k from allocator API examples and removes older -k tip text. |
| deploy-manage/deploy/cloud-enterprise/ece-configuring-ece-instance-configurations-create.md | Adds ECE TLS important admonition; removes -k from instance configuration API examples. |
| deploy-manage/deploy/cloud-enterprise/ece-configuring-ece-create-templates.md | Adds ECE TLS important admonition; removes -k from template API examples. |
| deploy-manage/deploy/cloud-enterprise/ece-configuring-ece-configure-system-templates.md | Adds ECE TLS important admonition; removes -k from system template API examples. |
| deploy-manage/deploy/cloud-enterprise/ece-ce-add-support-for-integrations-server.md | Adds ECE TLS important admonition; removes -k from template API examples. |
| deploy-manage/deploy/cloud-enterprise/deploy-small-installation.md | Adds ECE TLS important admonition; removes -k from enrollment token curl example. |
| deploy-manage/deploy/cloud-enterprise/deploy-medium-installation.md | Adds ECE TLS important admonition; removes -k from enrollment token curl example. |
| deploy-manage/deploy/cloud-enterprise/deploy-large-installation.md | Adds ECE TLS important admonition; removes -k from enrollment token curl example. |
| deploy-manage/deploy/cloud-enterprise/configure-allocator-affinity.md | Adds ECE TLS important admonition; removes -k from allocator affinity API examples. |
| deploy-manage/deploy/cloud-enterprise/ce-add-support-for-node-roles-autoscaling.md | Adds ECE TLS important admonition; removes -k from deployment template API examples. |
| deploy-manage/autoscaling/autoscaling-in-ece-and-ech.md | Adds ECE/ESS-scoped TLS admonitions inside applies-switch; removes -k from ECE autoscaling API example. |
| deploy-manage/api-keys/elastic-cloud-enterprise-api-keys.md | Adds ECE TLS important admonition; removes -k from login API example. |
Comments suppressed due to low confidence (1)
deploy-manage/autoscaling/autoscaling-in-ece-and-ech.md:676
- The
applies-switchblock opens with 5 colons (:::::) but is closed with 4 (::::). This mismatched fence is likely to break MyST parsing / the docs build. Close the outerapplies-switchwith the same number of colons used to open it (and ensure nestedapplies-itemblocks are closed before that).
::::
:::::
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This comment was marked as resolved.
This comment was marked as resolved.
marciw
changed the title
leemthompo
previously approved these changes
Apr 24, 2026
Member
There was a problem hiding this comment.
[edit] @eedugon raised some concerns so dismissing my overhasty ✅ 😄
eedugon
reviewed
Apr 24, 2026
Contributor
eedugon
left a comment
eedugon
left a comment
There was a problem hiding this comment.
I think we should create 2 snippets to be able to maintain this better in the future:
- One snippet for the ECE message
- One snippet for the more generic message
- Maybe a snippet for ECK if we want to include the command to obtain the cluster CA (generated by ECK by default, shared in a comment).
Shared other comments for your consideration, for example I'd avoid saying valid certificate as that's unclear.
Member
Author
|
@eedugon Re: snippets, of course! I was always planning to do those in a follow-up PR, for ease of reviews and to limit the scope of this one. There's a method to my madness 🙂 opened https://github.com/elastic/docs-content-internal/issues/1125 |
Contributor
Elastic Docs AI PR menuCheck the box to run an AI review for this pull request.
Powered by GitHub Agentic Workflows and docs-actions. For more information, reach out to the docs team. |
Contributor
Vale Linting ResultsSummary: 3 warnings, 5 suggestions found
|
| File | Line | Rule | Message |
|---|---|---|---|
| deploy-manage/deploy/cloud-enterprise/ce-add-support-for-node-roles-autoscaling.md | 1430 | Elastic.DontUse | Don't use 'just'. |
| deploy-manage/deploy/cloud-enterprise/ece-configuring-ece-instance-configurations-create.md | 74 | Elastic.DirectionalLanguage | Don't use directional language. Use 'the label of the element' instead of 'on the right'. |
| deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md | 218 | Elastic.DontUse | Don't use 'just'. |
💡 Suggestions (5)
| File | Line | Rule | Message |
|---|---|---|---|
| deploy-manage/deploy/cloud-enterprise/ce-add-support-for-node-roles-autoscaling.md | 1430 | Elastic.Wordiness | Consider using 'to' instead of 'in order to'. |
| deploy-manage/deploy/cloud-enterprise/ece-ce-add-support-for-integrations-server.md | 14 | Elastic.Wordiness | Consider using 'to' instead of 'in order to'. |
| deploy-manage/deploy/cloud-enterprise/ece-configuring-ece-configure-system-templates.md | 25 | Elastic.Wordiness | Consider using 'to' instead of 'in order to'. |
| deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md | 218 | Elastic.Wordiness | Consider using 'to' instead of 'In order to'. |
| troubleshoot/elasticsearch/diagnostic.md | 31 | Elastic.Versions | Use 'or later' instead of 'or higher' when referring to versions. |
The Vale linter checks documentation changes against the Elastic Docs style guide.
To use Vale locally or report issues, refer to Elastic style guide for Vale.
Member
Author
|
@eedugon @leemthompo please take another look when you have a moment. thank you! i like to do snippets separately 🙃 🤷♀️ |
eedugon
approved these changes
May 4, 2026
Contributor
eedugon
left a comment
eedugon
left a comment
There was a problem hiding this comment.
Looks great! Thanks a lot for doing this!
Once this is merged ping me in private and I'll add a small add-on to the ECK quickstarts in a separate PR.
The add-on will consist on linking to the instructions to obtain the CA in ECK (which we have in a separate doc). But let's not lose time on that now.
mdbirnstiehl
approved these changes
May 12, 2026
Member
mdbirnstiehl
left a comment
mdbirnstiehl
left a comment
There was a problem hiding this comment.
Unblocking from Experience docs side.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #5776 (opened by a security researcher). Instead of specifying
-kin curl examples, offer it as an option for testing and note that it's insecure.Generative AI disclosure
Did you use a generative AI (GenAI) tool to assist in creating this
contribution?
👇 PR description written by Claude 🤖
Summary
Fixes #5776. Documentation across the repo recommended
curl -k/--insecure, which disables TLS certificate verification and exposes users to MITM attacks if copied into real environments.Changes:
-k/--insecurefrom allcurlcommand examples (29 files)more details
Two-tier admonition approach
Pages use one of two admonition types depending on deployment context.
ECE pages —
::::{important}(18 files)ECE installations use a self-signed certificate by default, so the
--cacertguidance is immediately actionable and the risk of blindly adding-kto production commands is higher. The admonition leads with the secure path:Non-ECE pages —
::::{tip}(11 files)ECK, Elastic Cloud (hosted), troubleshooting, and AutoOps pages assume a valid certificate in most scenarios. The tip documents the escape hatch without implying users need
--cacertor are running an ECE coordinator with a self-signed default:One exception:
ec-remote-cluster-same-ess.mdhasapplies_to: deployment: ess: ga(Elastic Cloud hosted), not ECE — it gets thetipeven though it lives next to ECE remote-cluster pages.One exception:
autoscaling-in-ece-and-ech.mdhas both an ECE tab and an ESS tab — the::::{important}is scoped inside the::::{applies-item} ece:block, and the::::{tip}is inside the::::{applies-item} ess:block.Files changed
ECE —
::::{important}:deploy-manage/api-keys/elastic-cloud-enterprise-api-keys.mddeploy-manage/autoscaling/autoscaling-in-ece-and-ech.mddeploy-manage/deploy/cloud-enterprise/ce-add-support-for-node-roles-autoscaling.mddeploy-manage/deploy/cloud-enterprise/configure-allocator-affinity.mddeploy-manage/deploy/cloud-enterprise/deploy-large-installation.mddeploy-manage/deploy/cloud-enterprise/deploy-medium-installation.mddeploy-manage/deploy/cloud-enterprise/deploy-small-installation.mddeploy-manage/deploy/cloud-enterprise/ece-ce-add-support-for-integrations-server.mddeploy-manage/deploy/cloud-enterprise/ece-configuring-ece-configure-system-templates.mddeploy-manage/deploy/cloud-enterprise/ece-configuring-ece-create-templates.mddeploy-manage/deploy/cloud-enterprise/ece-configuring-ece-instance-configurations-create.mddeploy-manage/deploy/cloud-enterprise/ece-configuring-ece-tag-allocators.mddeploy-manage/deploy/cloud-enterprise/ece-integrations-server-api-example.mddeploy-manage/deploy/cloud-enterprise/manage-elastic-stack-versions.mddeploy-manage/deploy/cloud-enterprise/switch-from-apm-to-integrations-server-payload.mddeploy-manage/remote-clusters/ece-remote-cluster-other-ece.mddeploy-manage/remote-clusters/ece-remote-cluster-same-ece.mddeploy-manage/upgrade/orchestrator/upgrade-cloud-enterprise.mdNon-ECE —
::::{tip}:deploy-manage/deploy/cloud-on-k8s/elasticsearch-deployment-quickstart.mddeploy-manage/deploy/cloud-on-k8s/quickstart-beats.mddeploy-manage/deploy/cloud-on-k8s/quickstart-standalone.mddeploy-manage/monitor/autoops/autoops-sm-troubleshoot-firewalls.mddeploy-manage/remote-clusters/ec-remote-cluster-same-ess.mdexplore-analyze/alerting/alerts/alerting-troubleshooting.mdtroubleshoot/elasticsearch/diagnostic.mdtroubleshoot/elasticsearch/unable-to-retrieve-node-fs-stats.mdtroubleshoot/ingest/logstash/diagnostic.mdtroubleshoot/kibana/alerts.mdtroubleshoot/kibana/capturing-diagnostics.mdTest plan
curl -kin changed files:grep -rn "curl -k\b" . --include="*.md" | grep -v "\.claude/"(expect zero)--insecureappears only inside admonition text and the curl manpage link:grep -rn "\-\-insecure" . --include="*.md" | grep -v "\.claude/\|curl\.se/docs"(expect zero)--cacertin paragraph 1 and--insecure/-kin paragraph 2autoscaling-in-ece-and-ech.mdhas ECEimportantinside the ECE tab and ESStipinside the ESS tabec-remote-cluster-same-ess.mdhas atip(notimportant)🤖 Generated with Claude Code