(DOCSP-12102): update tls ca settings (#366)

* (DOCSP-12102): update tls ca settings

* (DOCSP-12102): update om https deployment procedure

* (DOCSP-12102): language tweaks

Author: jwilliams-mongo

source/includes/steps-deploy-k8s-opsmgr-https.yaml

@@ -36,7 +36,7 @@ content: |
 
       kubectl create secret generic om-http-cert --from-file="server.pem" -n <namespace>
 ---
-title: "If necessary, validate your TLS Certificate"
+title: "If necessary, validate your TLS Certificate."
 stepnum: 4
 ref: validate-tls-cert
 content: |
@@ -68,7 +68,7 @@ content: |
    .. literalinclude:: /reference/k8s/example-opsmgr-https.yaml
       :language: yaml
       :linenos:
-      :emphasize-lines: 5,7-11,15-17,19,21-23
+      :emphasize-lines: 5,7-11,14-18,20,22-24
 
 ---
 title: "Open your preferred text editor and paste the |k8s-obj| specification into a new text file."
@@ -135,6 +135,21 @@ content: |
 
         - ``om-admin-secret``
 
+      * - | ``spec``
+          | ``.security``
+          | ``.tls``
+          | ``.``:opsmgrkube:`~spec.security.tls.ca`
+        - string
+        - Name of the |k8s-configmap| you created to verify |tls|
+          certificates signed using a Custom Certificate Authority.
+
+          .. important::
+
+             This field is required if you signed your |tls|
+             certificates using a Custom Certificate Authority. 
+
+        - ``om-http-cert-ca``
+
       * - | ``spec``
           | ``.security``
           | ``.tls``

source/reference/k8s-operator-om-specification.txt

@@ -187,12 +187,25 @@ Optional |onprem| Resource Settings
    Name of the |k8s| |k8s-configmap| containing the |certauth| file for
    the application database.
 
+   .. important::
+
+      :opsmgrkube:`spec.applicationDatabase.security.tls.ca` is required
+      if you use a Custom Certificate Authority to sign your application
+      database |tls| certificates.
+
+   This |certauth| signs the certificates that:
+   
+   - the application database replica set members use to communicate
+     with one another, and
+   - |onprem| uses to communicate with the application database replica
+     set.
+
 .. opsmgrkube:: spec.applicationDatabase.security.tls.secretRef.name
 
    *Type*: string
 
-   Name of the |k8s| |k8s-secret| object created to secure the
-   application database resources.
+   Name of the |k8s| |k8s-secret| you created to secure the application
+   database resources.
 
 .. opsmgrkube:: spec.backup.enabled
 
@@ -810,11 +823,27 @@ Optional |onprem| Resource Settings
       |application| based on the container's memory. Changing the
       ``-Xms`` and ``-Xmx`` values can cause issues with |onprem|.
 
+.. opsmgrkube:: spec.security.tls.ca
+
+   Name of the |k8s| |k8s-configmap| that contains a custom |certauth|
+   file for |onprem|.
+
+   .. important::
+
+      :opsmgrkube:`spec.security.tls.ca` is required if you use a Custom
+      Certificate Authority to sign your |onprem| |tls| certificates.
+
+   This |certauth| signs the certificates that:
+
+   - clients use to connect to the |application|, and
+   - agents in the application database |k8s-pods| use to communicate
+     with |onprem|. 
+
 .. opsmgrkube:: spec.security.tls.secretRef.name
 
    *Type*: string
 
-   Name of the |k8s| |k8s-secret| you created for your |tls|
+   Name of the |k8s| |k8s-secret| you created for your |onprem| |tls|
    certificate. Used when creating an |onprem| instance which runs
    over |https|.
 

source/reference/k8s/example-opsmgr-https.yaml

@@ -11,6 +11,7 @@ spec:
                                            # for the admin user
   security:
     tls:
+      ca: <om-http-cert-ca>
       secretRef:
         name: <tlscertificate> # Should match metadata.name
                                # in the Kubernetes secret