Add a Updating the TLS certificate section (#737)

gotsysdba · web-flow · commit dcf33b64fa2c · 2023-10-19T09:11:49.000+01:00
* Add a Updating the TLS certificate section * Resolve @rhondaday comments (TY) * implemented comments
diff --git a/docs-source/mbaas/content/setup/_index.md b/docs-source/mbaas/content/setup/_index.md
@@ -32,23 +32,23 @@ To start the installation, take the following steps:
 6. On the **Create Stack** page:
 
    a. Modify the suggested name, if desired.
-   
+
    b. Add a description or tags, if desired.
-   
+
    c. Click **Next**.
 
 7. On the **Configure variables** page, in the **Backend as a Service** section (see the following image):
 
    a. Specify an application name, if desired. If not specified, a randomized value is generated.  This is the name of the Parse application.
-   
+
    b. Specify an application ID, if desired. If not specified, a randomized value is generated.  This is the Parse `APPLICATION_ID`.
-   
+
    c. Specify a server master key, if desired. If not specified, a randomized value is generated.  This is the Parse `MASTER_KEY`.
-   
+
    d. Change the dashboard user name, if desired. Note that this is case-sensitive.
-   
+
    e. Provide a dashboard password for the dashboard user. Oracle recommends using a strong password for security purposes.
-   
+
    For example:
 
    ![Configure variables page](../mbaas-configure-variables.png)
@@ -64,25 +64,47 @@ To start the installation, take the following steps:
 11. In the **Database Options** section, you can customize the database shape and the CIDR for client access. Note that you cannot access
     **Database Actions** if you change the network access to `PRIVATE_ENDPOINT_ACCESS`.
 
-12. Once you have completed customization, click **Next**. 
+12. Once you have completed customization, click **Next**.
 
 13. The **Review** page is displayed. Check your settings and then click **Create** to create the stack and run the Terraform `apply`
-    command to create all of the associated resources.  
+    command to create all of the associated resources.
 
 You can monitor the installation in the log. Installation takes approximately 20 minutes to complete.  Most of this time is spent provisioning
 the Kubernetes cluster, its nodes, and the database.
 
-When the installation is finished, some important information is included at the end of the log.  You need this information to access
+When the installation is finished, some important information is included at the end of the log. You need this information to access
 the newly created environment. For example:
 
+```text
+kubeconfig_cmd = "oci ce cluster create-kubeconfig --cluster-id ocid1.cluster.oc1.iad.aaaaaaaatc --region us --token-version 2.0.0 --kube-endpoint PUBLIC_ENDPOINT --file $HOME/.kube/config"
+parse_application_id = "MYCOOLAPP001"
+parse_dashboard_password = <sensitive>
+parse_dashboard_uri = "https://1.2.3.4/parse-dashboard"
+parse_dashboard_user = "ADMIN"
+parse_endpoint = "https://1.2.3.4/parse"
+parse_master_key = <sensitive>
 ```
-application_id = "COOLAPPV100"
-dashboard_password = <sensitive>
-dashboard_uri = "http://1.2.3.4"
-dashboard_user = "ADMIN"
-kubeconfig_cmd = "oci ce cluster create-kubeconfig --cluster-id ocid1.cluster.oc1.iad.xxx
- --file $HOME/.kube/config --region us-ashburn-1 --token-version 2.0.0 --kube-endpoint PUBLIC_ENDPOINT"
-parse_endpoint = "1.2.3.4/parse"
-```
+
+## TLS
+
+The Oracle Backend for Parse Platform is deployed with a sample self-signed certificate for Transport Layer Security (TLS). This results in an "Accept Risk" message when accessing the Parse Dashboard and the sample TLS certificate should not be used for production deployments.
+
+### Updating the TLS Certificate
+
+1. Ensure your Domain Name System (DNS) entry points to the IP address specified in the `parse_dashboard_uri` output.
+2. Obtain a new TLS certificate. In a production environment, the most common scenario is to use a public certificate that has been signed by a certificate authority.
+3. Create a new Kubernetes secret in the `ingress-nginx` namespace.  For example:
+
+    ```bash
+    kubectl -n ingress-nginx create secret tls my-tls-cert --key new-tls.key --cert new-tls.crt
+    ```
+
+4. Modify the service definition to reference the new Kubernetes secret by changing the `service.beta.kubernetes.io/oci-load-balancer-tls-secret` annotation in the service configuration. For example:
+
+    ```bash
+    kubectl patch service ingress-nginx-controller -n ingress-nginx \
+        -p '{"metadata":{"annotations":{"service.beta.kubernetes.io/oci-load-balancer-tls-secret":"my-tls-cert"}}}' \
+        --type=merge
+    ```
 
 Next, go to the [Microsoft Azure/OCI Multicloud Installation](../azure/) page to learn how to use the newly installed environment.
