Merge pull request #303425 from SoniaLopezBravo/aio250-screenhots-3otel

Update observability and screenshots in certificates

Author: v-regandowner

articles/iot-operations/configure-observability-monitoring/howto-configure-observability.md

@@ -245,9 +245,9 @@ Complete the following steps to install the Azure IoT Operations curated Grafana
    az grafana show --name <GRAFANA_NAME> --resource-group <RESOURCE_GROUP> --query url -o tsv
    ```
 
-1. In the Grafana application, select the **+** icon.
+1. On the Grafana landing page, select the **Create your first dashboard** tile.
 
-1. Select **Import dashboard**.
+1. Select **Import Dashboard**.
 
 1. Browse to the sample dashboard directory in your local copy of the Azure IoT Operations repository, **azure-iot-operations** > **samples** > **grafana-dashboard**, then select the  `aio.sample.json` dashboard file.
 

articles/iot-operations/deploy-iot-ops/howto-deploy-iot-operations.md

@@ -54,8 +54,6 @@ A cluster host:
 
   If you deployed Azure IoT Operations to your cluster previously, uninstall those resources before continuing. For more information, see [Update Azure IoT Operations](./howto-manage-update-uninstall.md#uninstall).
 
-* (Optional) Prepare your cluster for observability before deploying Azure IoT Operations: [Configure observability](../configure-observability-monitoring/howto-configure-observability.md).
-
 * (Recommended) Configure your own certificate authority issuer before deploying Azure IoT Operations: [Bring your own issuer](../secure-iot-ops/howto-manage-certificates.md#bring-your-own-issuer).
 
 ## Deploy in Azure portal
@@ -186,14 +184,6 @@ One at a time, run each Azure CLI command on the **Automation** tab in a termina
       --feature connectors.settings.preview=Enabled
       ```
 
-   * If you followed the optional prerequisites to prepare your cluster for observability, add the following optional parameters to the `create` command:
-
-       | Optional parameter | Value | Description |
-       | --------- | ----- | ----------- |
-       | `--ops-config` | `observability.metrics.openTelemetryCollectorAddress=<FULLNAMEOVERRIDE>.azure-iot-operations.svc.cluster.local:<GRPC_ENDPOINT>` | Provide the OpenTelemetry (OTel) collector address you configured in the otel-collector-values.yaml file.<br><br>The sample values used in [Configure observability](../configure-observability-monitoring/howto-configure-observability.md) are **fullnameOverride=aio-otel-collector** and **grpc.endpoint=4317**. |
-       | `--ops-config` | `observability.metrics.exportInternalSeconds=<CHECK_INTERVAL>` | Provide the **check_interval** value you configured in the otel-collector-values.yaml file.<br><br>The sample value used in [Configure observability](../configure-observability-monitoring/howto-configure-observability.md) is **check_interval=60**. |
-
-
     * If you followed the optional prerequisites to set up your own certificate authority issuer, add the `--trust-settings` parameters to the `create` command:
 
     ```bash

articles/iot-operations/deploy-iot-ops/howto-deploy-iot-test-operations.md

@@ -54,7 +54,6 @@ A cluster host:
 
   If you deployed Azure IoT Operations to your cluster previously, uninstall those resources before continuing. For more information, see [Update Azure IoT Operations](./howto-manage-update-uninstall.md#uninstall).
 
-* (Optional) Prepare your cluster for observability before deploying Azure IoT Operations: [Configure observability](../configure-observability-monitoring/howto-configure-observability.md).
 
 ## Deploy in Azure portal
 
@@ -168,14 +167,6 @@ One at a time, run each Azure CLI command on the **Automation** tab in a termina
     --feature connectors.settings.preview=Enabled
     ```
 
-    * If you followed the optional prerequisites to prepare your cluster for observability, add the following parameters to the `create` command:
-
-        | Parameter | Value | Description |
-        | --------- | ----- | ----------- |
-        | `--ops-config` | `observability.metrics.openTelemetryCollectorAddress=<FULLNAMEOVERRIDE>.azure-iot-operations.svc.cluster.local:<GRPC_ENDPOINT>` | Provide the OpenTelemetry (OTel) collector address you configured in the otel-collector-values.yaml file.<br><br>The sample values used in [Configure observability](../configure-observability-monitoring/howto-configure-observability.md) are **fullnameOverride=aio-otel-collector** and **grpc.endpoint=4317**. |
-        | `--ops-config` | `observability.metrics.exportInternalSeconds=<CHECK_INTERVAL>` | Provide the **check_interval** value you configured in the otel-collector-values.yaml file.<br><br>The sample value used in [Configure observability](../configure-observability-monitoring/howto-configure-observability.md) is **check_interval=60**. |
-
-
 1. Once all of the Azure CLI commands complete successfully, you can close the **Install Azure IoT Operations** wizard.
 
 Once the `create` command completes successfully, you have a working Azure IoT Operations instance running on your cluster. At this point, your instance is configured for most testing and evaluation scenarios.

articles/iot-operations/deploy-iot-ops/howto-upgrade.md

@@ -12,7 +12,7 @@ ms.date: 07/18/2025
 
 # Upgrade to a new version
 
-Learn how to upgrade an Azure IoT Operations deployment to a newer version. There's no support for upgrading from any preview version of Azure IoT Operations to any generally available (GA) version.
+Learn how to upgrade an Azure IoT Operations deployment to a newer version.
 
 ## Prerequisites
 
@@ -114,17 +114,27 @@ You can only install a preview version using the Azure CLI.
 
 If you want to upgrade to a specific version of Azure IoT Operations that isn't the latest, you can run `az iot ops get-versions` or refer to [IoT Operations versions](https://aka.ms/aio-versions) to find the CLI extension version associated with the Azure IoT Operations version that you want. Get the version number and run the following command to upgrade to that version:
 
-   ```azurecli
-   az extension add --upgrade --name azure-iot-ops --version <VERSION_NUMBER>
+```azurecli
+az extension add --upgrade --name azure-iot-ops --version <VERSION_NUMBER>
 ```
 
+## Upgrade observability configuration
+
+To upgrade the observability configuration of your Azure IoT Operations instance, first you need to follow the steps in [Deploy observability resources](../configure-observability-monitoring/howto-configure-observability.md).
+
+You can upgrade the observability configuration by running the `az iot ops upgrade` command with the `--ops-config` parameter to specify the new configuration values.
+
+```azurecli
+az iot ops upgrade --resource-group <rg name> -n <instance name> --ops-config observability.metrics.openTelemetryCollectorAddress=<>
+```
+
+| Parameter | Value | Description |    
+| --------- | ----- | ----------- |
+| `--ops-config` | `observability.metrics.openTelemetryCollectorAddress=<FULLNAMEOVERRIDE>.azure-iot-operations.svc.cluster.local:<GRPC_ENDPOINT>` | Provide the OpenTelemetry (OTel) collector address you configured in the otel-collector-values.yaml file.<br><br>The sample values used in [Configure observability](../configure-observability-monitoring/howto-configure-observability.md) are **fullnameOverride=aio-otel-collector** and **grpc.endpoint=4317**. |
+| `--ops-config` | `observability.metrics.exportInternalSeconds=<CHECK_INTERVAL>` | Provide the **check_interval** value you configured in the otel-collector-values.yaml file.<br><br>The sample value used in [Configure observability](../configure-observability-monitoring/howto-configure-observability.md) is **check_interval=60**. |
+
 > [!NOTE]
-> In preview releases, the `az iot ops upgrade` command doesn't work for upgrading to a preview version, but it works for configuring the Azure IoT Operations for observability. Add the following parameters to the `upgrade` command:
->
-> | Parameter | Value | Description |
-> | --------- | ----- | ----------- |
-> | `--ops-config` | `observability.metrics.openTelemetryCollectorAddress=<FULLNAMEOVERRIDE>.azure-iot-operations.svc.cluster.local:<GRPC_ENDPOINT>` | Provide the OpenTelemetry (OTel) collector address you configured in the otel-collector-values.yaml file.<br><br>The sample values used in [Configure observability](../configure-observability-monitoring/howto-configure-observability.md) are **fullnameOverride=aio-otel-collector** and **grpc.endpoint=4317**. |
-> | `--ops-config` | `observability.metrics.exportInternalSeconds=<CHECK_INTERVAL>` | Provide the **check_interval** value you configured in the otel-collector-values.yaml file.<br><br>The sample value used in [Configure observability](../configure-observability-monitoring/howto-configure-observability.md) is **check_interval=60**. |
+> In preview releases, the `az iot ops upgrade` command doesn't work for upgrading to a preview version, but it works for configuring the Azure IoT Operations for observability.
 
 
 ## MQTT broker upgrade considerations

articles/iot-operations/secure-iot-ops/howto-manage-certificates.md

@@ -4,7 +4,7 @@ description: Azure IoT Operations uses TLS to encrypt communication. Learn how t
 author: asergaz
 ms.author: sergaz
 ms.topic: how-to
-ms.date: 05/20/2025
+ms.date: 07/20/2025
 
 #CustomerIntent: As an operator, I want to configure Azure IoT Operations components to use TLS so that I have secure communication between all components.
 ---
@@ -149,33 +149,48 @@ To set up Azure IoT Operations with your own issuer for internal communications,
 
 The certificate management experience for external communications uses Azure Key vault as the managed vault solution on the cloud. Certificates are added to the key vault as secrets and synchronized to the edge as Kubernetes secrets via [Azure Key Vault Secret Store extension](/azure/azure-arc/kubernetes/secret-store-extension).
 
-For example, the connector for OPC UA uses the certificate management experience to configure OPC UA client application authentication to an external OPC UA server. Azure IoT Operations manages two distinct certificate stores for the connector for OPC UA: one for the *Trust list* and one for the *Issuer list*. To learn more about how the connector for OPC UA uses certificates to establish mutual trust with an OPC UA server, see [OPC UA certificates infrastructure for the connector for OPC UA](../discover-manage-assets/overview-opc-ua-connector-certificates-management.md).
+Connectors use the certificate management experience to configure client application authentication to external servers. Azure IoT Operations manages two distinct certificate stores for connectors: one for the *Trust list* and one for the *Issuer list*. To learn more about how connectors use certificates to establish mutual trust with external servers, see the connector-specific certificate management documentation.
 
+When you [deploy Azure IoT Operations with secure settings](../deploy-iot-ops/overview-deploy.md#secure-settings-deployment), you can start adding certificates to Azure Key Vault, and sync them to the Kubernetes cluster to be used in the *Trust list* and *Issuer list* stores for external connections.
 
-When you [deploy Azure IoT Operations with secure settings](../deploy-iot-ops/overview-deploy.md#secure-settings-deployment), you can start adding certificates to Azure Key Vault, and sync them to the Kubernetes cluster to be used in the *Trust list* and *Issuer list* stores for OPC UA connections:
+To manage certificates for external communications, follow these steps:
 
-:::image type="content" source="media/howto-manage-certificates/add-new-certificate.png" lightbox="media/howto-manage-certificates/add-new-certificate.png" alt-text="Screenshot that shows the Upload certificate and Add from Azure Key Vault options when adding a new certificate to the devices page.":::
+1. Go to [Azure IoT Operations experience](https://iotoperations.azure.com), and choose your site and Azure IoT Operations instance.
+1. In the left navigation pane, select **Asset endpoints**.
+1. Click on **Manage certificates and secrets**.
 
-- **Upload Certificate**: Uploads a certificate which is then added as a secret to Azure Key Vault and automatically synchronized to the cluster using Secret Store extension. 
+    :::image type="content" source="media/howto-manage-certificates/manage-certificates.png" lightbox="media/howto-manage-certificates/manage-certificates.png" alt-text="Screenshot that shows the Manage certificates and secrets option in the left navigation pane.":::
 
-    > [!TIP]
-    > - View the certificate details once uploaded, to ensure you have the correct certificate before adding to Azure Key Vault and synchronizing to the cluster.
-    > - Use an intuitive name so that you can recognize which secret represents your secret in the future.
-    
-    > [!NOTE]
-    > Simply uploading the certificate won't add the secret to Azure Key Vault and synchronize to the cluster, you must select **Apply** for the changes to be applied.
-     
+1. In the Certificates and Secrets page, click on **Add new certificate**.
+
+    :::image type="content" source="media/howto-manage-certificates/add-new-certificate.png" lightbox="media/howto-manage-certificates/add-new-certificate.png" alt-text="Screenshot that shows the Add new certificate button in the devices page.":::
 
-- **Add from Azure Key Vault**: Add an existing secret from the Azure Key vault to be synchronized to the cluster.
+1. You can add a new certificate in two ways:
 
-    > [!NOTE]
-    > Make sure to select the secret that holds the certificate you would like to synchronize to the cluster. Selecting a secret which isn't the correct certificate causes the connection to fail.
+    - **Upload Certificate**: Uploads a certificate which is then added as a secret to Azure Key Vault and automatically synchronized to the cluster using Secret Store extension. 
+    
+        - View the certificate details once uploaded, to ensure you have the correct certificate before adding to Azure Key Vault and synchronizing to the cluster.
+        - Use an intuitive name so that you can recognize which secret represents your secret in the future.
+    
+        :::image type="content" source="media/howto-manage-certificates/upload-certificate.png" lightbox="media/howto-manage-certificates/upload-certificate.png" alt-text="Screenshot that shows the Upload certificate option when adding a new certificate to the devices page.":::
+    
+        > [!NOTE]
+        > Simply uploading the certificate won't add the secret to Azure Key Vault and synchronize to the cluster, you must select **Apply** for the changes to be applied.
+         
+    
+    - **Add from Azure Key Vault**: Add an existing secret from the Azure Key vault to be synchronized to the cluster.
+    
+        :::image type="content" source="media/howto-manage-certificates/add-from-key-vault.png" lightbox="media/howto-manage-certificates/add-from-key-vault.png" alt-text="Screenshot that shows the Add from Azure Key Vault option when adding a new certificate to the devices page.":::
+    
+        > [!NOTE]
+        > Make sure to select the secret that holds the certificate you would like to synchronize to the cluster. Selecting a secret which isn't the correct certificate causes the connection to fail.
+    
 
+1. Using the list view you can manage the synchronized certificates. You can view all the synchronized certificates, and which certificate store it's synchronized to:
 
-Using the list view you can manage the synchronized certificates. You can view all the synchronized certificates, and which certificate store it's synchronized to:
+    :::image type="content" source="media/howto-manage-certificates/list-certificates.png" lightbox="media/howto-manage-certificates/list-certificates.png" alt-text="Screenshot that shows the list of certificates in the devices page and how to filter by Trust List and Issuer List.":::
 
-:::image type="content" source="media/howto-manage-certificates/list-certificates.png" lightbox="media/howto-manage-certificates/list-certificates.png" alt-text="Screenshot that shows the list of certificates in the devices page and how to filter by Trust List and Issuer List.":::
 
-- To learn more about the *Trust list* and *Issuer list* stores, see [Configure OPC UA certificates infrastructure for the connector for OPC UA](../discover-manage-assets/howto-configure-opc-ua-certificates-infrastructure.md).
+To learn more about the *Trust list* and *Issuer list* stores, see the connector-specific certificate management documentation.
 
 You can delete synced certificates as well. When you delete a synced certificate, it only deletes the synced certificate from the Kubernetes cluster, and doesn't delete the contained secret reference from Azure Key Vault. You must delete the certificate secret manually from the key vault.