mongodb
diff --git a/‎source/includes/prereqs/custom-ca-prereqs-multi-cluster-rs-tls-only.rst
Lines changed: 13 additions & 0 deletions b/‎source/includes/prereqs/custom-ca-prereqs-multi-cluster-rs-tls-only.rst
Lines changed: 13 additions & 0 deletions
diff --git a/‎source/includes/prereqs/san-format-multi-cluster.rst
Lines changed: 7 additions & 0 deletions b/‎source/includes/prereqs/san-format-multi-cluster.rst
Lines changed: 7 additions & 0 deletions
diff --git a/‎source/includes/steps-deploy-k8s-multi-cluster-rs-tls-custom-renew.yaml
Lines changed: 9 additions & 0 deletions b/‎source/includes/steps-deploy-k8s-multi-cluster-rs-tls-custom-renew.yaml
Lines changed: 9 additions & 0 deletions
diff --git a/‎source/includes/steps-deploy-k8s-multi-cluster-rs-tls-custom.yaml
Lines changed: 84 additions & 0 deletions b/‎source/includes/steps-deploy-k8s-multi-cluster-rs-tls-custom.yaml
Lines changed: 84 additions & 0 deletions
diff --git a/‎source/includes/steps-multi-cluster-source.yaml
Lines changed: 24 additions & 1 deletion b/‎source/includes/steps-multi-cluster-source.yaml
Lines changed: 24 additions & 1 deletion
diff --git a/‎source/includes/steps-multi-cluster-tls-openssl.yaml
Lines changed: 0 additions & 181 deletions b/‎source/includes/steps-multi-cluster-tls-openssl.yaml
Lines changed: 0 additions & 181 deletions
@@ -0,0 +1,13 @@
+- Generate one |tls| certificate for a ``MongoDBMulti`` resource.
+
+  For each |k8s| service corresponding to each Pod in each member cluster,
+  add |san-dns|\s to the certificate.
+
+  In your |tls| certificate, the |san-dns| for each |k8s| service  must
+  use the following format:
+
+  .. include:: /includes/prereqs/san-format-multi-cluster.rst
+
+  You must possess the |certauth| certificate and the key that you used
+  to sign your |tls| certificates.
+
@@ -0,0 +1,7 @@
+.. code-block:: none
+
+   <metadata.name>-<member_cluster_index>-<n>-svc.<namespace>.svc.cluster.local
+
+where ``n`` ranges from ``0`` to ``clusterSpecList[member_cluster_index].members - 1``.
+
+
@@ -0,0 +1,9 @@
+
+---
+stepnum: 1
+ref: renew-k8s-rs-tls-secret
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: renew-mc-rs-tls-secret
+
+...
@@ -0,0 +1,84 @@
+---
+stepnum: 1
+ref: create-k8s-mc-rs-tls-secret
+title: "Create the secret for the TLS certificate of your ``MongoDBMulti`` custom resource."
+level: 4
+content: |
+   Run the ``kubectl`` command to create a new secret that stores the
+   MongoDB multi-cluster resource's certificate:
+
+   .. code-block:: sh
+
+      kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
+      --namespace=<metadata.namespace> \
+      create secret tls <prefix>-<metadata.name>-cert \
+      --cert=<resource-tls-cert> \
+      --key=<resource-tls-key>
+
+---
+stepnum: 2
+ref: create-k8s-mc-rs-tls-configmap
+title: "Create the ConfigMap to link your CA with your ``MongoDBMulti`` custom resource."
+level: 4
+content: |
+   Run the ``kubectl`` command to link your |certauth| to your ``MongoDBMulti`` custom resource:
+
+   .. code-block:: sh
+
+      kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
+      --namespace=<metadata.namespace> \
+      create configmap custom-ca -from-file=ca-pem
+
+---
+stepnum: 3
+ref: update-mongodbmulti-resource
+title: "Update your ``MongoDBMulti`` custom resource."
+level: 4
+content: |
+
+   :ref:`Update your MongoDB multi-cluster resource <k8s-edit-database-resource>`
+   with :ref:`security settings <security-settings>` from the |k8s-op-short|
+   MongoDB resource specification. The resulting configuration should look as
+   follows:
+
+   .. code-block:: yaml
+
+      apiVersion: mongodb.com/v1
+      kind: MongoDBMulti
+      metadata:
+       name: multi-replica-set
+      spec:
+       version: 4.4.0-ent
+       type: ReplicaSet
+       persistent: false
+       duplicateServiceObjects: true
+       credentials: my-credentials
+       opsManager:
+         configMapRef:
+           name: my-project
+       security:
+         tls:
+           ca: custom-ca
+         certsSecretPrefix: <prefix>
+       clusterSpecList:
+         clusterSpecs:
+         - clusterName: ${MDB_CLUSTER_1_FULL_NAME}
+           members: 3
+         - clusterName: ${MDB_CLUSTER_2_FULL_NAME}
+           members: 2
+         - clusterName: ${MDB_CLUSTER_3_FULL_NAME}
+           members: 3
+
+   The |k8s-op-short| copies the ConfigMap with the |certauth| created in
+   the central cluster to each member cluster, generates a concatenated
+   |pem| secret, and distributes it to the member clusters.
+
+---
+stepnum: 4
+level: 4
+ref: verify-mc-resources-tls
+source:
+  file: steps-multi-cluster-source.yaml
+  ref: verify-mdb-resources-mc
+
+...
@@ -239,11 +239,34 @@ content: |
          --namespace mongodb
 
   #.  In the central cluster, run the following commands to verify that
-      the MongoDBMulti ``CustomResource`` is in the running state:
+      the ``MongoDBMulti`` custom resource is in the running state:
 
       .. code-block:: sh
 
          kubectl --context=$MDB_CENTRAL_CLUSTER_FULL_NAME \
            --namespace mongodb \
            get mdbm multi-replica-set -o yaml -w
+
+---
+
+title: "Renew the |k8s-secret| for a ``MongoDBMulti`` resource."
+stepnum: 0
+level: 4
+ref: renew-mc-rs-tls-secret
+content: |
+
+  Run this ``kubectl`` command to renew an existing |k8s-secret| that
+  stores the ``MongoDBMulti`` resource's certificates:
+
+  .. code-block:: sh
+
+     kubectl --context $MDB_CENTRAL_CLUSTER_FULL_NAME \
+     --namespace=<metadata.namespace> \
+     create secret tls <prefix>-<metadata.name>-cert \
+     --cert=<resource-tls-cert> \
+     --key=<resource-tls-key> \
+     --dry-run=client \
+     -o yaml |
+     kubectl apply -f -
+
 ...