Improve deploy.md

stoyanr · stoyanr · commit 9ba0156c8437 · 2025-05-14T09:23:31.000+03:00
diff --git a/content/integrate/redis-data-integration/data-pipelines/deploy.md b/content/integrate/redis-data-integration/data-pipelines/deploy.md
@@ -47,20 +47,57 @@ secrets are only relevant for TLS/mTLS connections.
 | `TARGET_DB_KEY` | (For mTLS only) Target database private key |
 | `TARGET_DB_KEY_PASSWORD` | (For mTLS only) Target database private key password |
 
+{{< note >}}When creating secrets for TLS or mTLS, ensure that all certificates and keys are in `PEM` format. The only exception to this is that for PostgreSQL, the private key `SOURCE_DB_KEY` secret must be in `DER` format. If you have a key in `PEM` format, you must convert it to `DER` before creating the `SOURCE_DB_KEY` secret using the command:
+
+```bash
+openssl pkcs8 -topk8 -inform PEM -outform DER -in /path/to/myclient.pem -out /path/to/myclient.pk8 -nocrypt
+```
+
+This command assumes that the private key is not encrypted. See the [`openssl` documentation](https://docs.openssl.org/master/) to learn how to convert an encrypted private key.
+{{< /note >}}
+  
 ### Set secrets for VM deployment
 
-Use
-[`redis-di set-secret`]({{< relref "/integrate/redis-data-integration/reference/cli/redis-di-set-secret" >}})
-to set secrets for a VM deployment. For example, you would use the
-following command line to set the source database username to `myUserName`:
+Use [`redis-di set-secret`]({{< relref "/integrate/redis-data-integration/reference/cli/redis-di-set-secret" >}})
+to set secrets for a VM deployment. 
+
+The specific command lines for source secrets are as follows:
 
 ```bash
-redis-di set-secret SOURCE_DB_USERNAME myUserName
+# For username and password
+redis-di set-secret SOURCE_DB_USERNAME yourUsername
+redis-di set-secret SOURCE_DB_PASSWORD yourPassword
+
+# With source TLS, in addition to the above
+redis-di set-secret SOURCE_DB_CACERT /path/to/myca.crt
+
+# With source mTLS, in addition to the above
+redis-di set-secret SOURCE_DB_CERT /path/to/myclient.crt
+redis-di set-secret SOURCE_DB_KEY /path/to/myclient.key
+# Use this only if SOURCE_DB_KEY is password-protected
+redis-di set-secret SOURCE_DB_KEY_PASSWORD yourKeyPassword 
+```
+
+The corresponding command lines for target secrets are:
+
+```bash
+# For username and password
+redis-di set-secret TARGET_DB_USERNAME yourUsername
+redis-di set-secret TARGET_DB_PASSWORD yourPassword
+
+# With target TLS, in addition to the above
+redis-di set-secret TARGET_DB_CACERT /path/to/myca.crt
+
+# With target mTLS, in addition to the above
+redis-di set-secret TARGET_DB_CERT /path/to/myclient.crt
+redis-di set-secret TARGET_DB_KEY /path/to/myclient.key
+# Use this only if TARGET_DB_KEY is password-protected
+redis-di set-secret TARGET_DB_KEY_PASSWORD yourKeyPassword
 ```
 
 ### Set secrets for K8s/Helm deployment using the rdi-secret.sh script
 
-To use the `rdi-secret.sh` script, unzip the archive that contains the Helm chart and navigate to the resulting folder. The `rdi-secret.sh` script is located in the `scripts` subfolder. The general pattern for using this script is:
+Use the `rdi-secret.sh` script to set secrets for a K8s/Helm deployment. To use this script, unzip the archive that contains the RDI Helm chart and navigate to the resulting folder. The `rdi-secret.sh` script is located in the `scripts` subfolder. The general pattern for using this script is:
 
 ```bash
 scripts/rdi-secret.sh set <SECRET-NAME> <SECRET-VALUE>
@@ -76,14 +113,6 @@ scripts/rdi-secret.sh get <SECRET-NAME>
 scripts/rdi-secret.sh list
 ```
 
-When creating secrets for TLS or mTLS, ensure that all certificates and keys are in `PEM` format. The only exception to this is that for PostgreSQL, the private key `SOURCE_DB_KEY` secret must be in `DER` format. If you have a key in `PEM` format, you must convert it to `DER` before creating the `SOURCE_DB_KEY` secret using the command:
-
-```bash
-openssl pkcs8 -topk8 -inform PEM -outform DER -in /path/to/myclient.key -out /path/to/myclient.pk8 -nocrypt
-```
-
-This command assumes that the private key is not encrypted. See the [`openssl` documentation](https://docs.openssl.org/master/) to learn how to convert an encrypted private key.
-  
 The specific command lines for source secrets are as follows:
 
 ```bash
@@ -139,14 +168,6 @@ kubectl create secret generic <DB>-ssl \
 --from-file=<FILE-NAME>=<FILE-PATH>
 ```
 
-When you create these secrets, ensure that all certificates and keys are in `PEM` format. The only exception to this is that for PostgreSQL, the private key in the `source-db-ssl` secret (the `client.key` file) must be in `DER` format. If you have a key in `PEM` format, you must convert it to `DER` before creating the `source-db-ssl` secret using the command:
-
-```bash
-openssl pkcs8 -topk8 -inform PEM -outform DER -in /path/to/myclient.key -out /path/to/myclient.pk8 -nocrypt
-```
-
-This command assumes that the private key is not encrypted.  See the [`openssl` documentation](https://docs.openssl.org/master/) to learn how to convert an encrypted private key.
-
 The specific command lines for source secrets are as follows:
 
 ```bash
@@ -231,7 +252,7 @@ Note that the certificate paths contained in the secrets `SOURCE_DB_CACERT`, `SO
 
 ## Deploy a pipeline
 
-When you have created your configuration, including the [jobs]({{< relref "/integrate/redis-data-integration/data-pipelines/data-pipelines#job-files" >}}), they are
+When you have created your configuration, including the [jobs]({{< relref "/integrate/redis-data-integration/data-pipelines/data-pipelines#job-files" >}}), you are
 ready to deploy. Use [Redis Insight]({{< relref "/develop/tools/insight/rdi-connector" >}})
 to configure and deploy pipelines for both VM and K8s installations.
 
