(DOCSP-18203): fix prefix tls setting (#737)

Author: jwilliams-mongo

source/includes/admonitions/deprecate-secret-ref-name.rst

@@ -1,15 +1,29 @@
 .. important:: Deprecation Notice
 
-   The :opsmgrkube:`spec.security.tls.secretRef.name` field is deprecated
-   for the MongoDB resources and for the application database in the
-   |onprem| resources. You can continue using :opsmgrkube:`spec.security.tls.secretRef.name`
+   The :setting:`spec.security.tls.secretRef.name`
+   and 
+   :opsmgrkube:`spec.applicationDatabase.security.tls.secretRef.name`
+   fields are deprecated for the MongoDB resources and for the
+   application database in the |onprem| resources. You can continue 
+   using :opsmgrkube:`spec.security.tls.secretRef.name`
    for the |onprem| resources other than the application database.
 
    This field will remain in future releases to maintain backwards
-   compatibility. Instead of the deprecated field, use:
+   compatibility.
 
-   - :opsmgrkube:`spec.applicationDatabase.security.tls.secretRef.prefix`,
-     for the application database in your |onprem| resources.
-   - :setting:`spec.security.tls.secretRef.prefix`, for MongoDB resources.
+   If you omit
+   :opsmgrkube:`spec.applicationDatabase.security.tls.secretRef.name`,
+   the |k8s-op-short| expects the secrets that contain your
+   |tls| certificates for database resources to follow this naming 
+   convention: ``<metadata.name>-cert``, where ``<metadata.name>`` 
+   specifies the name of one of the following resources:
 
-   
+   - |onprem| resource for application database deployments
+   - Database resource for other database deployments
+
+   For information about pre-pending an optional prefix to the secret
+   name, see:
+
+   - :opsmgrkube:`spec.applicationDatabase.security.tls.secretRef.prefix`
+     for the application database in your |onprem| resources.
+   - :setting:`spec.security.tls.secretRef.prefix` for MongoDB resources.

source/includes/list-tables/resource-keys-tls-custom-ca.rst

@@ -32,7 +32,12 @@
      - string
      - Optional
      - Add the ``<prefix>`` of the |k8s| |k8s-secret| name that contains
-       your MongoDB deployment's |tls| certificates. If you omit this
-       setting, the prefix defaults to the value of
-       :setting:`metadata.name` of your MongoDB resource.
-     - ``<prefix>``
+       your MongoDB deployment's |tls| certificates. If you omit
+       :setting:`spec.security.tls.secretRef.name` and you configure
+       :setting:`spec.security.tls.secretRef.prefix`, you must name the 
+       secret ``<prefix>-<metadata.name>-cert``.
+       
+       If you omit :setting:`spec.security.tls.secretRef.name` and
+       :setting:`spec.security.tls.secretRef.prefix`, you must name the
+       secret ``<metadata.name>-cert``.
+     - ``devDb``

source/includes/options-k8s-shared.yaml

@@ -577,7 +577,7 @@ type: string
 directive: setting
 optional: true
 description: |
-  Deprecated. Use :setting:`spec.security.tls.secretRef.prefix` instead.
+  Deprecated. See :setting:`spec.security.tls.secretRef.prefix`.
   Provide the name of the |k8s| |k8s-secret| you created that contains
   your MongoDB deployment's |tls| certificates.
 ---
@@ -589,10 +589,10 @@ optional: true
 description: |
   Provide the ``<prefix>`` of the |k8s| |k8s-secret| name that you
   created that contains your MongoDB deployment's |tls| certificates.
-  The full |k8s-secret| name has the following format:
-  ``<prefix>-cert``. If you omit this setting, the prefix
-  defaults to the value of :setting:`metadata.name` of your
-  |k8s-mdbrsc|.
+  When you use this option, the full |k8s-secret| name has the following
+  format: ``<prefix>-<metadata.name>-cert``. If you omit this setting
+  and you omit :setting:`spec.security.tls.secretRef.name`,
+  you must name the secret ``<metadata.name>-cert``.
 ---
 program: _shared
 name: spec.security.authentication

source/includes/steps-deploy-k8s-opsmgr-https.yaml

@@ -66,8 +66,8 @@ content: |
 
      .. code-block:: sh
 
-        openssl s_client -showcerts -verify 2 \ 
-        -connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \ 
+        openssl s_client -showcerts -verify 2 \
+        -connect downloads.mongodb.com:443 -servername downloads.mongodb.com < /dev/null \
         | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}'
 
   #. Concatenate your |certauth|\'s certificate file with the
@@ -97,7 +97,7 @@ content: |
    .. literalinclude:: /reference/k8s/example-opsmgr-https.yaml
       :language: yaml
       :linenos:
-      :emphasize-lines: 5,7-11,14-20,21-38
+      :emphasize-lines: 5,7-11,14-20,21-39
 
 ---
 title: "Open your preferred text editor and paste the |k8s-obj| specification into a new text file."
@@ -309,13 +309,13 @@ content: |
        - Name of the MongoDB database resource for the oplog store.
        - ``my-oplog-db``
 
-  You must also configure an :term:`S3 snapshot store <s3 snapshot store>` 
+  You must also configure an :term:`S3 snapshot store <s3 snapshot store>`
   or a :term:`blockstore <Backup Blockstore Database>`.
 
   .. note::
 
      If you deploy both an :term:`S3 snapshot store <s3 snapshot store>`
-     and a :term:`blockstore <Backup Blockstore Database>`, |onprem| 
+     and a :term:`blockstore <Backup Blockstore Database>`, |onprem|
      randomly choses one to use for Backup.
 
   To configure a snapshot store, configure the following settings:
@@ -393,8 +393,8 @@ content: |
         | ``.mongodbResourceRef``
         | ``.``:opsmgrkube:`~spec.backup.blockStores.mongodbResourceRef.name`
       - string
-      - Name of the MongoDB database resource that you create for the 
-        blockstore. You must deploy this database resource in the same 
+      - Name of the MongoDB database resource that you create for the
+        blockstore. You must deploy this database resource in the same
         namespace as the |onprem| resource.
       - ``my-mongodb-blockstore``
 
@@ -406,7 +406,7 @@ optional: true
 ref: add-k8s-values
 content: |
 
-  Add any :ref:`optional settings <optional-om-k8s-settings>` that you 
+  Add any :ref:`optional settings <optional-om-k8s-settings>` that you
   want to apply to your deployment to the |k8s-obj| specification file.
 ---
 title: "Save this file with a ``.yaml`` file extension."
@@ -466,10 +466,10 @@ content: |
   #. |onprem|.
   #. Backup.
 
-  The |k8s-op-short| doesn't reconcile a resource until the preceding 
+  The |k8s-op-short| doesn't reconcile a resource until the preceding
   one enters the ``Running`` phase.
 
-  After the |onprem| resource completes the ``Reconciling`` phase, the 
+  After the |onprem| resource completes the ``Reconciling`` phase, the
   command returns the following output under the ``status`` field if you
   enabled backup:
 
@@ -485,7 +485,7 @@ content: |
           version: "4.2.0"
        backup:
         lastTransition: "2020-04-01T09:57:42Z"
-        message: The MongoDB object <namespace>/<oplogresourcename> 
+        message: The MongoDB object <namespace>/<oplogresourcename>
           doesn't exist
         phase: Pending
         opsManager:
@@ -495,7 +495,7 @@ content: |
           url: http://om-svc.cloudqa.svc.cluster.local:8443
           version: "5.0.0"
 
-  Backup remains in a ``Pending`` state until you configure the Backup 
+  Backup remains in a ``Pending`` state until you configure the Backup
   databases.
 
   .. tip::
@@ -525,7 +525,7 @@ content: |
           url: http://om-svc.dev.svc.cluster.local:8443
           version: ""
 
-  Backup remains in a ``Pending`` state until you configure the Backup 
+  Backup remains in a ``Pending`` state until you configure the Backup
   databases.
 
   .. tip::
@@ -613,7 +613,7 @@ content: |
   :ref:`create-k8s-project` page.
 
   Set the following fields in your project ConfigMap:
-    
+
   - Set ``data.baseUrl`` in the ConfigMap to the |application|\'s |url|.
     To find this |url|, invoke the following command:
 
@@ -687,7 +687,7 @@ content: |
      .. note::
 
         Create the |s3| snapshot store as a replica set.
-     
+
      Match the ``metadata.name`` of the resource to the
      :opsmgrkube:`spec.backup.s3Stores.mongodbResourceRef.name`
      that you specified in your |onprem| resource definition.

source/reference/k8s-operator-om-specification.txt

@@ -197,7 +197,7 @@ Optional |onprem| Resource Settings
    - |onprem| uses to communicate with the application database replica
      set.
 
-  .. include:: /includes/admonitions/warning-concatenate-download-certs.rst
+   .. include:: /includes/admonitions/warning-concatenate-download-certs.rst
 
 .. opsmgrkube:: spec.applicationDatabase.security.tls.secretRef.name
 
@@ -214,9 +214,12 @@ Optional |onprem| Resource Settings
 
    The ``<prefix>`` of the |k8s| |k8s-secret| name that you created that
    contains your application database's |tls| certificates. The full
-   |k8s-secret| name has the following format: ``<prefix>-cert``. If you
-   omit the prefix, this setting defaults to the value of
-   :setting:`metadata.name` of your application database |onprem| resource.
+   |k8s-secret| name has the following format:
+   ``<prefix>-<metadata.name>-cert``, where ``<metadata.name>`` is the
+   name of your |onprem| resource. If you
+   omit this setting and you omit
+   :opsmgrkube:`spec.applicationDatabase.security.tls.secretRef.name`,
+   you must name the secret ``<metadata.name>-cert``.
 
    To learn how to configure your |onprem| instance to run over
    |https|, see :ref:`deploy-om-container`.

source/reference/k8s/example-opsmgr-https.yaml

@@ -15,7 +15,7 @@ spec:
   security:
       tls:
         ca: <om-http-cert-ca>  # Optional. Name of the ConfigMap file
-                               # containing the certicate authority that
+                               # containing the certificate authority that
                                # signs the certificates used by the Ops
                                # Manager custom resource.
         secretRef:
@@ -28,13 +28,13 @@ spec:
     security:
       tls:
         ca: <om-http-cert-ca>  # Optional. Name of the ConfigMap file
-                               # containing the certicate authority that
+                               # containing the certificate authority that
                                # signs the certificates that the application
                                # database uses.
         secretRef:
-          prefix: <prefix> # Optional. The <prefix> of the Kubernetes
-                           # secret's name. If you omit the prefix, it
-                           # defaults to the value of metadata.name for
-                           # the Ops Manager custom  resource.
-
+          prefix: <prefix> # Optional. The <prefix> to prepend to the Kubernetes
+                           # secret's name: <prefix>-<metadata.name>-cert. If you omit this setting,
+                           # you must name the secret <metadata.name>-cert,
+                           # where <metadata.name> is the name of the 
+                           # Ops Manager resource.
 ...