Add fleet-server secret file docs (#148)

* Add fleet-server secret file docs

* change file suffix to path where applicable, add example

* Add k8s secrets guide and env var descriptions

* add instructions for ram disks

* use k8s agent provider only for apm

* windows file permissions acls

* change heading name

* Add index ref

* David's edits

* Apply suggestions from code review

Co-authored-by: Karen Metts <35154725+karenzone@users.noreply.github.com>

* Clarify ram disk description

* Update docs/en/ingest-management/fleet/fleet-server-secrets.asciidoc

Co-authored-by: Karen Metts <35154725+karenzone@users.noreply.github.com>

---------

Co-authored-by: David Kilfoyle <david.kilfoyle@elastic.co>
Co-authored-by: Karen Metts <35154725+karenzone@users.noreply.github.com>

Author: 3 people

.gitignore

@@ -12,4 +12,6 @@ html_docs
 
 # IDE configuration files
 .vscode/
-.idea/
+.idea/
+
+*.swp

docs/en/ingest-management/commands.asciidoc

@@ -149,11 +149,13 @@ To enroll the {agent} in {fleet} and set up {fleet-server}:
 ----
 elastic-agent enroll --fleet-server-es <string>
                      --fleet-server-service-token <string>
+                     [--fleet-server-service-token-path <string>]
                      [--ca-sha256 <string>]
                      [--certificate-authorities <string>]
                      [--delay-enroll]
                      [--fleet-server-cert <string>] <1>
                      [--fleet-server-cert-key <string>]
+                     [--fleet-server-cert-key-passphrase <string>]
                      [--fleet-server-es-ca <string>]
                      [--fleet-server-es-ca-trusted-fingerprint <string>] <2>
                      [--fleet-server-es-insecure]
@@ -164,7 +166,7 @@ elastic-agent enroll --fleet-server-es <string>
                      [--force]
                      [--non-interactive]
                      [--help]
-                     [--tag <string>] 
+                     [--tag <string>]
                      [--url <string>] <3>
                      [global-flags]
 ----
@@ -207,6 +209,9 @@ Certificate to use for exposed {fleet-server} HTTPS endpoint.
 `--fleet-server-cert-key <string>`::
 Private key to use for exposed {fleet-server} HTTPS endpoint.
 
+`--fleet-server-cert-key-passphrase <string>`::
+Path to passphrase file for decrypting {fleet-server}'s private key if an encrypted private key is used.
+
 `--fleet-server-es <string>`::
 Start a {fleet-server} process when {agent} is started, and connect to the
 specified {es} URL.
@@ -247,6 +252,11 @@ Used when starting a self-managed {fleet-server} to allow a specific policy to b
 
 `--fleet-server-service-token <string>`::
 Service token to use for communication with {es}.
+Mutually exclusive with `--fleet-server-service-token-path`.
+
+`--fleet-server-service-token-path <string>`::
+Service token file to use for communication with {es}.
+Mutually exclusive with `--fleet-server-service-token`.
 
 `--force`::
 Force overwrite of current configuration without prompting for confirmation.
@@ -256,7 +266,7 @@ NOTE: If the {agent} is already installed on the host, using `--force` may
 result in unpredictable behavior with duplicate {agent}s appearing in {fleet}.
 
 `--non-interactive`::
-Install {agent} in a non-interactive mode. This flag is helpful when 
+Install {agent} in a non-interactive mode. This flag is helpful when
 using automation software or scripted deployments. If {agent} is
 already installed on the host, the installation will terminate.
 
@@ -473,7 +483,7 @@ elastic-agent install --url <string>
                       [--non-interactive]
                       [--help]
                       [--insecure ]
-                      [--tag <string>] 
+                      [--tag <string>]
                       [global-flags]
 ----
 
@@ -485,11 +495,13 @@ a `fleet-server` process alongside the `elastic-agent` service:
 
 elastic-agent install --fleet-server-es <string>
                       --fleet-server-service-token <string>
+                      [--fleet-server-service-token-path <string>]
                       [--ca-sha256 <string>]
                       [--certificate-authorities <string>]
                       [--delay-enroll]
                       [--fleet-server-cert <string>] <1>
                       [--fleet-server-cert-key <string>]
+                      [--fleet-server-cert-key-passphrase <string>]
                       [--fleet-server-es-ca <string>]
                       [--fleet-server-es-ca-trusted-fingerprint <string>] <2>
                       [--fleet-server-host <string>]
@@ -499,7 +511,7 @@ elastic-agent install --fleet-server-es <string>
                       [--force]
                       [--non-interactive]
                       [--help]
-                      [--tag <string>] 
+                      [--tag <string>]
                       [--url <string>] <3>
                       [--fleet-server-es-insecure]
                       [global-flags]

docs/en/ingest-management/elastic-agent/configuration/env/.container-envs.asciidoc.swp

@@ -97,6 +97,8 @@ include::shared-env.asciidoc[tag=fleet-server-elasticsearch-ca]
 
 include::shared-env.asciidoc[tag=fleet-server-service-token]
 
+include::shared-env.asciidoc[tag=fleet-server-service-token-path]
+
 include::shared-env.asciidoc[tag=fleet-server-policy-name]
 
 include::shared-env.asciidoc[tag=fleet-server-policy-id]
@@ -109,6 +111,8 @@ include::shared-env.asciidoc[tag=fleet-server-cert]
 
 include::shared-env.asciidoc[tag=fleet-server-cert-key]
 
+include::shared-env.asciidoc[tag=fleet-server-cert-key-passphrase]
+
 include::shared-env.asciidoc[tag=fleet-server-insecure-http]
 
 |===

docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc

@@ -180,6 +180,19 @@ Overrides `FLEET_TOKEN_POLICY_NAME` when set.
 
 // =============================================================================
 
+// tag::fleet-server-service-token-path[]
+|
+[id="env-{type}-fleet-server-service-token-path"]
+`FLEET_SERVER_SERVICE_TOKEN_PATH`
+
+| (string) The path to the service token file to use for communication with {es}.
+
+*Default:* none
+
+// end::fleet-server-service-token-path[]
+
+// =============================================================================
+
 // tag::fleet-server-policy-id[]
 |
 [id="env-{type}-fleet-server-policy-id"]
@@ -245,6 +258,19 @@ Overrides the port defined in the policy.
 
 // =============================================================================
 
+// tag::fleet-server-cert-key-passphrase[]
+|
+[id="env-{type}-fleet-server-cert-key-passphrase"]
+`FLEET_SERVER_CERT_KEY_PASSPHRASE`
+
+| (string) The path to the private key passphrase for an encrypted private key file.
+
+*Default:* none
+
+// end::fleet-server-cert-key-passphrase[]
+
+// =============================================================================
+
 // tag::fleet-server-insecure-http[]
 |
 [id="env-{type}-fleet-server-insecure-http"]