Merge pull request #272267 from dominicbetts/aio-simulator-updates

prmerger-automator[bot] · web-flow · commit ab9850291e81 · 2024-04-16T10:06:00.000Z
AIO: Update OPC PLC simulator configuration
diff --git a/articles/iot-operations/get-started/quickstart-add-assets.md b/articles/iot-operations/get-started/quickstart-add-assets.md
@@ -76,7 +76,18 @@ To add an asset endpoint:
     kubectl get assetendpointprofile -n azure-iot-operations
     ```
 
-1. To enable the quickstart scenario, configure your asset endpoint to connect without mutual trust established. Run the following command:
+These quickstarts use the **OPC PLC simulator** to generate sample data. To enable the quickstart scenario, you need to configure the OPC UA Broker to accept untrusted server certificates and your asset endpoint to connect without mutual trust established. This configuration is not recommended for production or pre-production environments. For more information, see [Deploy the OPC PLC simulator](../manage-devices-assets/howto-configure-opc-plc-simulator.md):
+
+1. To configure the simulator for the quickstart scenario, run the following command:
+
+   ```azurecli
+   az k8s-extension update --version 0.3.0-preview --name opc-ua-broker --release-train preview --cluster-name <CLUSTER_NAME> --resource-group <RESOURCE_GROUP> --cluster-type connectedClusters --auto-upgrade-minor-version false --config opcPlcSimulation.deploy=true --config opcPlcSimulation.autoAcceptUntrustedCertificates=true
+   ```
+
+   > [!CAUTION]
+   > Don't use this configuration in production or pre-production environments. The configuration lowers the security level for the OPC PLC so that it accepts connections from any client without an explicit peer certificate trust operation.
+
+1. To configure the asset endpoint for the quickstart scenario, run the following command:
 
     ```console
     kubectl patch AssetEndpointProfile opc-ua-connector-0 -n azure-iot-operations --type=merge -p '{"spec":{"additionalConfiguration":"{\"applicationName\":\"opc-ua-connector-0\",\"security\":{\"autoAcceptUntrustedServerCertificates\":true}}"}}'
@@ -85,6 +96,8 @@ To add an asset endpoint:
     > [!CAUTION]
     > Don't use this configuration in production or pre-production environments. Exposing your cluster to the internet without proper authentication might lead to unauthorized access and even DDOS attacks.
 
+    To learn more, see [Deploy the OPC PLC simulator](../manage-devices-assets/howto-configure-opc-plc-simulator.md) section.
+
 1. To enable the configuration changes to take effect immediately, first find the name of your `aio-opc-supervisor` pod by using the following command:
 
     ```console
diff --git a/articles/iot-operations/get-started/quickstart-deploy.md b/articles/iot-operations/get-started/quickstart-deploy.md
@@ -253,15 +253,6 @@ In this section, you use the [az iot ops init](/cli/azure/iot/ops#az-iot-ops-ini
    >[!TIP]
    >If you've run `az iot ops init` before, it automatically created an app registration in Microsoft Entra ID for you. You can reuse that registration rather than creating a new one each time. To use an existing app registration, add the optional parameter `--sp-app-id <APPLICATION_CLIENT_ID>`.
 
-1. These quickstarts use the **OPC PLC simulator** to generate sample data. To configure the simulator for the quickstart scenario, run the following command:
-
-   > [!IMPORTANT]
-   > Don't use the following example in production, use it for simulation and test purposes only. The example lowers the security level for the OPC PLC so that it accepts connections from any client without an explicit peer certificate trust operation.
-
-   ```azurecli
-   az k8s-extension update --version 0.3.0-preview --name opc-ua-broker --release-train preview --cluster-name <CLUSTER_NAME> --resource-group <RESOURCE_GROUP> --cluster-type connectedClusters --auto-upgrade-minor-version false --config opcPlcSimulation.deploy=true --config opcPlcSimulation.autoAcceptUntrustedCertificates=true
-   ```
-
 ## View resources in your cluster
 
 While the deployment is in progress, you can watch the resources being applied to your cluster. You can use kubectl commands to observe changes on the cluster or, since the cluster is Arc-enabled, you can use the Azure portal.
diff --git a/articles/iot-operations/troubleshoot/known-issues.md b/articles/iot-operations/troubleshoot/known-issues.md
@@ -59,9 +59,7 @@ This article contains known issues for Azure IoT Operations Preview.
 
 ## OPC PLC simulator
 
-If you create an asset endpoint for the OPC PLC simulator, but the OPC PLC simulator isn't sending data to the IoT MQ broker, try the following command:
-
-- Patch the asset endpoint with `autoAcceptUntrustedServerCertificates=true`:
+If you create an asset endpoint for the OPC PLC simulator, but the OPC PLC simulator isn't sending data to the IoT MQ broker, run the following command to set `autoAcceptUntrustedServerCertificates=true` for the asset endpoint:
 
 ```bash
 ENDPOINT_NAME=<name-of-you-endpoint-here>
@@ -71,7 +69,10 @@ kubectl patch AssetEndpointProfile $ENDPOINT_NAME \
 -p '{"spec":{"additionalConfiguration":"{\"applicationName\":\"'"$ENDPOINT_NAME"'\",\"security\":{\"autoAcceptUntrustedServerCertificates\":true}}"}}'
 ```
 
-You can also patch all your asset endpoints with the following command:
+> [!CAUTION]
+> Don't use this configuration in production or pre-production environments. Exposing your cluster to the internet without proper authentication might lead to unauthorized access and even DDOS attacks.
+
+You can patch all your asset endpoints with the following command:
 
 ```bash
 ENDPOINTS=$(kubectl get AssetEndpointProfile -n azure-iot-operations --no-headers -o custom-columns=":metadata.name")
@@ -83,8 +84,14 @@ kubectl patch AssetEndpointProfile $ENDPOINT_NAME \
 done
 ```
 
-> [!WARNING]
-> Don't use untrusted certificates in production environments.
+Update the OPC UA Broker cluster extension to accept untrusted server certificates with the following command:
+
+```azurecli
+az k8s-extension update --version 0.3.0-preview --name opc-ua-broker --release-train preview --cluster-name <CLUSTER_NAME> --resource-group <RESOURCE_GROUP> --cluster-type connectedClusters --auto-upgrade-minor-version false --config opcPlcSimulation.deploy=true --config opcPlcSimulation.autoAcceptUntrustedCertificates=true
+```
+
+> [!CAUTION]
+> Don't use this configuration in production or pre-production environments. The configuration lowers the security level for the OPC PLC so that it accepts connections from any client without an explicit peer certificate trust operation.
 
 If the OPC PLC simulator isn't sending data to the IoT MQ broker after you create a new asset, restart the OPC PLC simulator pod. The pod name looks like `aio-opc-opc.tcp-1-f95d76c54-w9v9c`. To restart the pod, use the `k9s` tool to kill the pod, or run the following command:
 
