Initial refinement self-managed tutorial1 and glue between tutorials

[eedugon]

Summary

This PR delivers a first refinement pass for the self-managed stack tutorials, with the main focus on clarifying the security model in Tutorial 1 and aligning the relationship between Tutorial 1 and Tutorial 2.

Tutorial 2 is almost untouched, just the intro.

The most important change is that Tutorial 1 now explains much more clearly that it already benefits from Elasticsearch automatic security setup by default, rather than implying that the stack remains unsecured until Tutorial 2. The tutorial also now explains the limits of that default setup, especially around browser-to-Kibana HTTPS and the Fleet Server Quick Start certificate flow.

Related issue: #929

What changed

Tutorial 1: security framing and transition to Tutorial 2

• Added a clearer security note near the top of tutorial-self-managed-install.md explaining that the installation flow relies on Elasticsearch automatic security setup.
• Added a new Security overview section to explain the actual certificate and TLS layout produced by Tutorial 1:
  • Elasticsearch automatic security setup for transport and HTTP TLS
  • Kibana enrollment with Elasticsearch
  • no browser-to-Kibana HTTPS in this tutorial
  • Fleet Server Quick Start self-signed HTTPS
  • Agent enrollment using --insecure because of that Quick Start flow
• Reworked the post-Kibana stop note so it no longer suggests that Tutorial 1 lacks TLS/SSL.
• Clarified that readers who want custom, corporate-provided, or publicly trusted certificates should stop after Kibana setup and continue with Tutorial 2 before installing Fleet Server and Elastic Agent.
• Added explicit wording that browser-to-Kibana HTTPS is not configured here and is strongly recommended for production.

Tutorial 1: small fixes and wording corrections

• Replaced outdated “master node” wording with bootstrap/new cluster language for the first Elasticsearch node.
• Fixed the typo in the commented network.host example (92.168... -> 192.168...).
• Fixed the log example typo (intialized -> initialized).
• Fixed the Elastic Agent installation step so it refers to the agent host instead of the Fleet Server host.
• Fixed the Elastic Agent command example so it actually includes --insecure.
• Updated the Fleet Server host URL example from http://...:8220 to https://...:8220 for consistency with the later agent enrollment flow.
• Cleaned up several awkward future-tense phrasings to improve readability and consistency.

Tutorial 1: binding guidance

• Kept the tutorial flow based on the host IP collected with ifconfig, since that IP is reused in later steps.
• Added inline notes to the network.host and server.host examples to mention 0.0.0.0 as a common alternative when readers want Elasticsearch or Kibana to listen on all available network interfaces.

Tutorial 2: title and positioning

• Renamed Tutorial 2 from “Secure a self-managed stack” to a title that better reflects its real purpose as a certificate customization / replacement flow rather than “turn security on”.
• Reworked the opening section of tutorial-self-managed-secure.md so it now:
  • explicitly references Tutorial 1’s automatic/default security setup
  • explains that Tutorial 2 replaces or extends that default certificate setup
  • lists concrete use cases, including:
    • corporate/public CA-signed certificates
    • private CA usage
    • browser-to-Kibana HTTPS
    • Fleet Server / Agent TLS customization
    • shared CA for public-facing endpoints while keeping a separate transport trust domain
• Added a note clarifying that readers do not necessarily need to complete every section of Tutorial 2 if they only need a subset of the certificate changes.

Tutorials index page

• Updated tutorials.md so both tutorial entries describe their outcome and security scope more precisely.
• Added a short security overview for each tutorial in the index:
  • Tutorial 1 now explains the secure-by-default setup and its limits
  • Tutorial 2 now explains which certificate customization actions it enables

Items touched from #929

This PR addresses or partially addresses several of the Tutorial 1 items discussed in #929, especially the ones related to security framing and correctness:

• automatic security setup should be explicitly acknowledged
• Tutorial 1 should clarify that transport and HTTP TLS are already configured by default

Generative AI disclosure

1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?

• Yes
• No

Tool(s) and model(s) used:
Cursor + GPT

[github-actions]

Vale Linting Results

Summary: 1 warning, 6 suggestions found

⚠️ Warnings (1)

File	Line	Rule	Message
deploy-manage/deploy/self-managed/tutorial-self-managed-install.md	680	Elastic.DontUse	Don't use 'just'.

💡 Suggestions (6)

File	Line	Rule	Message
deploy-manage/deploy/self-managed/tutorial-self-managed-install.md	267	Elastic.Wordiness	Consider using 'because' instead of 'since'.
deploy-manage/deploy/self-managed/tutorial-self-managed-install.md	318	Elastic.Wordiness	Consider using 'because of' instead of 'as a result of'.
deploy-manage/deploy/self-managed/tutorial-self-managed-install.md	516	Elastic.Exclamation	Use exclamation points sparingly. Consider removing the exclamation point.
deploy-manage/deploy/self-managed/tutorial-self-managed-install.md	518	Elastic.Exclamation	Use exclamation points sparingly. Consider removing the exclamation point.
deploy-manage/deploy/self-managed/tutorial-self-managed-install.md	562	Elastic.Wordiness	Consider using 'because' instead of 'since'.
deploy-manage/deploy/self-managed/tutorial-self-managed-install.md	680	Elastic.Exclamation	Use exclamation points sparingly. Consider removing the exclamation point.

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[github-actions]

🔍 Preview links for changed docs

• deploy-manage/deploy/self-managed/tutorial-self-managed-install.md
• deploy-manage/deploy/self-managed/tutorial-self-managed-secure.md
• deploy-manage/deploy/self-managed/tutorials.md

[kilfoyle]

Suggested change

	* {{agent}} enrolls using that Quick Start flow, which is why the generated install command includes the `--insecure` flag.
	* {{agent}} enrolls using the same Quick Start flow, in which the generated install command includes the `--insecure` flag.

[kilfoyle]

LGTM! 🚢
Very nice @eedugon!