(DOCSP-33645) Adds limitation for kmip configuration. (#1483)

erabil-mdb · web-flow · commit f647c9f597fc · 2023-10-25T12:05:24.000-06:00
* (DOCSP-33645) Adds limitation for kmip configuration. * Revises per tech review. * Revises per copy review. * Revises per tech review. * Adds high-level steps for KMIP workaround.
diff --git a/source/multi-cluster-arch.txt b/source/multi-cluster-arch.txt
@@ -53,6 +53,11 @@ The following limitations exist for |multi-clusters|:
 
 - Use only |k8s| |k8s-secrets| for your secret storage tool. The |hashicorp-vault| 
   secret storage tool isn't supported.
+- For deployments where the same |k8s-op-short| instance is not managing both the
+  :ref:`MongoDBOpsManager <k8s-om-specification>` and 
+  :ref:`MongoDB <k8s-specification>` custom resources, 
+  you must manually configure |kmip| backup encryption client settings in |onprem|. 
+  To learn more, see :ref:`kmip-workaround`.   
 - Don't add a :github:`ServiceMonitor</prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md#related-resources>`
   to your |mongodb-multis|. The |k8s-op-short| doesn't support integration with Prometheus.
 
diff --git a/source/tutorial/configure-kmip-backup-encryption.txt b/source/tutorial/configure-kmip-backup-encryption.txt
@@ -10,6 +10,21 @@ Configure KMIP Backup Encryption for Ops Manager
 configure |kmip| backup encryption for |mms|. To learn more, see 
 :opsmgr:`Encrypted Backup Snapshots </tutorial/encrypt-snapshots/>`.
 
+.. _kmip-limitations:
+
+Limitations
+-----------
+
+For deployments where the same |k8s-op-short| instance is not managing both the
+:ref:`MongoDBOpsManager <k8s-om-specification>` and 
+:ref:`MongoDB <k8s-specification>` custom resources, 
+you must manually configure |kmip| 
+backup encryption client settings in the 
+:ref:`MongoDBOpsManager <k8s-om-specification>` custom resource. 
+This requirement involves including client certificates for each MongoDB database, 
+which you can achieve by overriding the |onprem| Pod's StatefulSet to mount 
+the certificates. To learn more, see :ref:`kmip-workaround`.
+
 Procedure
 ---------
 
diff --git a/source/tutorial/om-arch.txt b/source/tutorial/om-arch.txt
@@ -135,7 +135,12 @@ If you enable backup, you must provide additional fields in the
 :opsmgrkube:`spec.backup <spec.backup.enabled>` collection to configure:
 the :term:`oplog store <oplog store database>` and a :term:`blockstore
 <Backup Blockstore Database>` or an |s3| :term:`snapshot store <S3
-Snapshot Store>`. 
+Snapshot Store>`. You can also 
+:ref:`encrypt backup jobs <configure-kmip-backup-encryption>`, but 
+:ref:`limitations <kmip-limitations>` apply to deployments where the same 
+|k8s-op-short| instance is not managing both the 
+:ref:`MongoDBOpsManager <k8s-om-specification>` and :ref:`MongoDB <k8s-specification>` 
+custom resources. 
 
 If you enable backup, the |k8s-op-short| creates a |k8s-pvc| for the
 Backup Daemon's :term:`head database`. You can
diff --git a/source/tutorial/plan-om-resource.txt b/source/tutorial/plan-om-resource.txt
@@ -199,6 +199,12 @@ enable the Backup Daemon and configure the head database.
      to use for Backup at random.
 
    The |onprem| resource remains in a ``Pending`` state until you configure these Backup resources.
+   
+   You can also :ref:`encrypt backup jobs <configure-kmip-backup-encryption>`, but 
+   :ref:`limitations <kmip-limitations>` apply to deployments where the same 
+   |k8s-op-short| instance is not managing both the 
+   :ref:`MongoDBOpsManager <k8s-om-specification>` and :ref:`MongoDB <k8s-specification>` 
+   custom resources.
 
 Oplog Store
 +++++++++++
@@ -271,6 +277,29 @@ To disable backup after you enabled it:
    To learn about reclaiming |k8s-pvs|, see the
    :k8sdocs:`Kubernetes documentation </concepts/storage/persistent-volumes/#reclaiming>`.
 
+.. _kmip-workaround:
+
+Manually Configure KMIP Backup Encryption
++++++++++++++++++++++++++++++++++++++++++
+
+For deployments where the same |k8s-op-short| instance is *not* managing both the
+:ref:`MongoDBOpsManager <k8s-om-specification>` and 
+:ref:`MongoDB <k8s-specification>` custom resources, 
+you must manually configure |kmip| backup encryption client settings in |onprem| 
+using the following procedure. If the |k8s-op-short| *is* managing both resources, 
+see :ref:`configure-kmip-backup-encryption` instead.
+
+1. Get the absolute path to the |kmip| client certificate for each MongoDB 
+   :ref:`project <projects-page-admin-ui>` in your deployment. All deployments 
+   in the project use the same |kmip| client certificate file to authenticate 
+   to the |kmip| server.
+
+2. Mount the |kmip| client certificates to |onprem| by overriding the 
+   |k8s-statefulset|.
+   
+3. Configure the |kmip| settings for your project in |onprem|. To learn more, 
+   see :ref:`configure-group-kmip`.
+
 .. _config-https:
 
 Configure |onprem| to Run over HTTPS
