clarify usage of OPC PLC Server

cristipogacean · cristipogacean · commit 2b294a201418 · 2024-03-19T23:51:49.000+01:00
diff --git a/articles/iot-operations/get-started/quickstart-add-assets.md b/articles/iot-operations/get-started/quickstart-add-assets.md
@@ -29,6 +29,8 @@ Complete [Quickstart: Deploy Azure IoT Operations Preview to an Arc-enabled Kube
 
 To sign in to the Azure IoT Operations portal, you need a work or school account in the tenant where you deployed Azure IoT Operations. If you're currently using a Microsoft account (MSA), you need to create a Microsoft Entra ID with at least contributor permissions for the resource group that contains your **Kubernetes - Azure Arc** instance. To learn more, see [Known Issues > Create Entra account](../troubleshoot/known-issues.md#azure-iot-operations-preview-portal).
 
+For this quickstart, we use the **OPC PLC simulator** as our OPC UA Server endpoint. Follow [How to configure an OPC PLC simulator to work with Azure IoT OPC UA Broker](../manage-devices-assets/howto-configure-opc-plc-simulator.md) to make sure that OPC PLC is properly installed and configured before you begin.
+
 ## What problem will we solve?
 
 The data that OPC UA servers expose can have a complex structure and can be difficult to understand. Azure IoT Operations provides a way to model OPC UA assets as tags, events, and properties. This modeling makes it easier to understand the data and to use it in downstream processes such as the MQ broker and Azure IoT Data Processor Preview pipelines.
@@ -84,40 +86,6 @@ To add an asset endpoint:
 
     When the OPC PLC simulator is running, data flows from the simulator, to the connector, to the OPC UA broker, and finally to the MQ broker.
 
-The following step lowers the security level for the OPC PLC so that it accepts connections from any client without an explicit peer certificate trust operation. To enable the asset endpoint to use an untrusted certificate:
-
-> [!CAUTION]
-> Don't use untrusted certificates in production environments. To learn more, see [Configure an OPC PLC simulator](../manage-devices-assets/howto-configure-opc-plc-simulator.md).
-
-1. Run the following command to enable the use of an untrusted certificate. Replace the two placeholders with your cluster name and resource group name:
-
-    ```azurecli
-    az k8s-extension update \
-    --version 0.3.0-preview \
-    --name opc-ua-broker \
-    --release-train preview \
-    --cluster-name <cluster-name> \
-    --resource-group <azure-resource-group> \
-    --cluster-type connectedClusters \
-    --auto-upgrade-minor-version false \
-    --config opcPlcSimulation.deploy=true \
-    --config opcPlcSimulation.autoAcceptUntrustedCertificates=true
-    ```
-
-1. To enable the configuration change to take effect immediately, first find the name of your `aio-opc-supervisor` pod by using the following command:
-
-    ```console
-    kubectl get pods -n azure-iot-operations
-    ```
-
-    The name of your pod looks like `aio-opc-supervisor-956fbb649-k9ppr`.
-
-1. Restart the `aio-opc-supervisor` pod by using a command that looks like the following example. Use the `aio-opc-supervisor` pod name from the previous step:
-
-    ```console
-    kubectl delete pod aio-opc-supervisor-956fbb649-k9ppr -n azure-iot-operations
-    ```
-
 ## Manage your assets
 
 After you select your cluster in Azure IoT Operations portal, you see the available list of assets on the **Assets** page. If there are no assets yet, this list is empty:
@@ -204,7 +172,7 @@ The sample tags you added in the previous quickstart generate messages from your
 
 ```json
 {
-    "Timestamp": "2024-03-08T00:54:58.6572007Z", 
+    "Timestamp": "2024-03-08T00:54:58.6572007Z",
     "MessageType": "ua-deltaframe",
     "payload": {
       "temperature": {
@@ -261,7 +229,7 @@ kubectl get akrii -n azure-iot-operations
 
 It might take a few minutes for the instance to show up.
 
-The output from the previous command looks like the following example. 
+The output from the previous command looks like the following example.
 
 ```console
 NAMESPACE              NAME                      CONFIG             SHARED   NODES            AGE
@@ -270,7 +238,7 @@ azure-iot-operations   akri-opcua-asset-dbdef0   akri-opcua-asset   true     ["d
 
 Now you can use these resources in the local cluster namespace.
 
-To confirm that Akri connected to the OPC UA Broker, copy and paste the name of the Akri instance from the previous step into the following command: 
+To confirm that Akri connected to the OPC UA Broker, copy and paste the name of the Akri instance from the previous step into the following command:
 
 ```bash
 kubectl get akrii <AKRI_INSTANCE_NAME> -n azure-iot-operations -o json
@@ -283,7 +251,7 @@ The command output looks like the following example. This example output shows t
 
         "brokerProperties": {
             "ApplicationUri": "Boiler #2",
-            "AssetEndpointProfile": "{\"spec\":{\"uuid\":\"opc-ua-broker-opcplc-000000-azure-iot-operation\"……   
+            "AssetEndpointProfile": "{\"spec\":{\"uuid\":\"opc-ua-broker-opcplc-000000-azure-iot-operation\"……
 ```
 
 ## How did we solve the problem?
diff --git a/articles/iot-operations/manage-devices-assets/howto-configure-opc-plc-simulator.md b/articles/iot-operations/manage-devices-assets/howto-configure-opc-plc-simulator.md
@@ -22,7 +22,9 @@ Azure IoT Operations installed. For more information, see [Quickstart: Deploy Az
 
 ## Deploy the OPC PLC simulator
 
-This section shows how to deploy the OPC PLC simulator. 
+This section shows how to deploy the OPC PLC simulator.
+
+The following step lowers the security level for the OPC PLC so that it accepts connections from AzureIot OPC UA Broker or any client without an explicit peer certificate trust operation.
 
 > [!IMPORTANT]
 > Don't use the following example in production, use it for simulation and test purposes only. The example lowers the security level for the OPC PLC so that it accepts connections from any client without an explicit peer certificate trust operation.
@@ -44,27 +46,51 @@ az k8s-extension update \
 
 The OPC PLC OPC UA server should run in the same deployment as a separate pod.
 
-## Get the certificate of the OPC PLC simulator
-The application instance certificate of the OPC PLC is a self-signed certificate managed by cert-manager and stored in the `secret aio-opc-ua-opcplc-default-application-cert-000000` kubernetes secret.
-
-To get the certificate, run the following commands on your cluster:
-
-```bash
-# extract the public key of the opc plc from the kubernetes secret
-kubectl -n azure-iot-operations get secret aio-opc-ua-opcplc-default-application-cert-000000 -o jsonpath='{.data.tls\.crt}' | base64 -d > opcplc.crt
-
-# optionally transform the certificate in *.der format
-openssl x509 -outform der -in opcplc.crt -out opcplc.der
-```
-
-## Configure OPC UA mutual trust
-The next step in OPC UA authentication is to configure mutual trust. In OPC UA communication, the OPC UA client and server authenticate each other.
-
-To complete this configuration, follow the steps to [configure mutual trust](howto-configure-opcua-certificates-infrastructure.md#how-to-handle-the-opc-ua-trusted-certificates-list). Use the certificate file you extracted in the previous section. 
+## Configure OPC UA mutual trust between Azure Iot OPC UA Broker Preview and the OPC PLC
 
-For simplicity, on the OPC PLC you don't need to do a mutual trust action. Mutual trust is configured with `autoAcceptUntrustedCertificates`, which accepts connections from any OPC UA client.
+The application instance certificate of the OPC PLC is a self-signed certificate managed by cert-manager and stored in the `secret aio-opc-ua-opcplc-default-application-cert-000000` kubernetes secret.
 
-## Optionally configure for no authentication
+1. Get the certificate, run the following commands on your cluster, and push it to Azure Key Vault.
+
+    ```bash
+    kubectl -n azure-iot-operations get secret aio-opc-ua-opcplc-default-application-cert-000000 -o jsonpath='{.data.tls\.crt}' | \
+    xargs -I {} \
+    az keyvault secret set \
+        --name "opcplc-crt" \
+        --vault-name <azure-key-vault-name> \
+        --value {} \
+        --encoding base64 \
+        --content-type application/x-pem-file
+    ```
+
+2. Configure the secret provider class (SPC) `aio-opc-ua-broker-trust-list` custom resource (CR) in the connected cluster. Use a K8s client such as kubectl to configure the secret `opcplc.crt`  in the SPC object array in the connected cluster.
+
+    ```yml
+    apiVersion: secrets-store.csi.x-k8s.io/v1
+    kind: SecretProviderClass
+    metadata:
+      name: aio-opc-ua-broker-trust-list
+      namespace: azure-iot-operations
+    spec:
+      provider: azure
+      parameters:
+        usePodIdentity: 'false'
+        keyvaultName: <azure-key-vault-name>
+        tenantId: <azure-tenant-id>
+        objects: |
+          array:
+            - |
+              objectName: opcplc-crt
+              objectType: secret
+              objectAlias: opcplc.crt
+              objectEncoding: hex
+    ```
+
+The projection of the Azure Key Vault secrets and certificates into the cluster takes some time depending on the configured polling interval.
+
+Now, the Azure IoT OPC UA Broker the trust relationship with OPC PLC should be established and you can proceed to create an `Asset Endpoint Profile` to connect to your OPC PLC simulation server.
+
+## Optionally configure your `Asset Endpoint Profile` without mutual trust established
 
 You can optionally configure an asset endpoint profile for the OPC PLC to run without mutual trust established. If you understand the risks, you can turn off authentication for testing purposes.
 
@@ -73,14 +99,19 @@ You can optionally configure an asset endpoint profile for the OPC PLC to run wi
 
 To allow your asset endpoint profile to connect to any OPC PLC server without establishing mutual trust, use the `additionalConfiguration` setting to change the `AssetEndpointProfile` for OPC UA.
 
-Configure the setting as shown in the following example JSON code:
+Patch the asset endpoint with `autoAcceptUntrustedServerCertificates=true`:
 
-```json
-"security": {
-        "autoAcceptUntrustedServerCertificates": true
-         }
+```bash
+ENDPOINT_NAME=<name-of-you-endpoint-here>
+kubectl patch AssetEndpointProfile $ENDPOINT_NAME \
+-n azure-iot-operations \
+--type=merge \
+-p '{"spec":{"additionalConfiguration":"{\"applicationName\":\"'"$ENDPOINT_NAME"'\",\"security\":{\"autoAcceptUntrustedServerCertificates\":true}}"}}'
 ```
 
+> [!WARNING]
+> Don't use untrusted certificates in production environments.
+
 ## Related content
 
 - [Autodetect assets using Azure IoT Akri Preview](howto-autodetect-opcua-assets-using-akri.md)
