Docs for secrets storage in agent outputs (#696) (#769)

* Docs for secrets storage in agent outputs * secret storage through config file * Jill's feedback * remove changes from policies page * Add reference to preconfiguration settings docs * Add note to SSL key setting, Logstash & Kafka (cherry picked from commit f9e23bd) Co-authored-by: David Kilfoyle <[email protected]>
elastic · Dec 14, 2023 · e022eb8 · e022eb8
1 parent 7fae835
commit e022eb8
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/docs/en/ingest-management/fleet/fleet-settings-output-kafka.asciidoc b/docs/en/ingest-management/fleet/fleet-settings-output-kafka.asciidoc
@@ -78,6 +78,10 @@ When SCRAM is enabled, {agent} uses the link:https://en.wikipedia.org/wiki/Salte
 * SCRAM-SHA-256 - uses the SHA-256 hashing function
 * SCRAM-SHA-512 - uses the SHA-512 hashing function
 
+To prevent unauthorized access your Kafka password is stored as a secret value. While secret storage is recommended, you can choose to override this setting and store the password as plain text in the agent policy definition. Secret storage requires {fleet-server} version 8.12 or higher.
+
+Note that this setting can also be stored as a secret value or as plain text for preconfigured outputs. See {kibana-ref}/fleet-settings-kb.html#_preconfiguration_settings_for_advanced_use_cases[Preconfiguration settings] in the {kib} Guide to learn more.
+
 // ============================================================================
 
 |
@@ -97,6 +101,10 @@ Client SSL certificate key::
 The private key generated for the client. This must be in PKCS 8 key. Copy and paste in the full contents of the certificate key. This is the certificate key that all the agents will use to connect to Kafka.
 +
 In cases where each client has a unique certificate key, the local path to that certificate key can be placed here. The agents will pick the certificate key in that location when establishing a connection to Kafka.
++
+To prevent unauthorized access the certificate key is stored as a secret value. While secret storage is recommended, you can choose to override this setting and store the key as plain text in the agent policy definition. Secret storage requires {fleet-server} version 8.12 or higher.
++
+Note that this setting can also be stored as a secret value or as plain text for preconfigured outputs. See {kibana-ref}/fleet-settings-kb.html#_preconfiguration_settings_for_advanced_use_cases[Preconfiguration settings] in the {kib} Guide to learn more.
 
 // ============================================================================
 

diff --git a/docs/en/ingest-management/fleet/fleet-settings-output-logstash.asciidoc b/docs/en/ingest-management/fleet/fleet-settings-output-logstash.asciidoc
@@ -64,6 +64,10 @@ Copy and paste in the full contents of the certificate key. This is the certific
 In cases where each client has a unique certificate key, the local path to that certificate key can be placed here.
 The agents will pick the certificate key in that location when establishing a connection to {ls}.
 
+To prevent unauthorized access the certificate key is stored as a secret value. While secret storage is recommended, you can choose to override this setting and store the key as plain text in the agent policy definition. Secret storage requires {fleet-server} version 8.12 or higher.
+
+Note that this setting can also be stored as a secret value or as plain text for preconfigured outputs. See {kibana-ref}/fleet-settings-kb.html#_preconfiguration_settings_for_advanced_use_cases[Preconfiguration settings] in the {kib} Guide to learn more.
+
 // =============================================================================
 
 |