Merge pull request #260840 from karok2m/kakostan/opc-ua

prmerger-automator[bot] · web-flow · commit c0a7ceca1534 · 2023-12-11T17:21:26.000Z
Fixed OPC UA Broker secret references.
diff --git a/articles/iot-operations/manage-devices-assets/howto-configure-opcua-authentication-options.md b/articles/iot-operations/manage-devices-assets/howto-configure-opcua-authentication-options.md
@@ -42,17 +42,19 @@ The following table shows the feature support level for authentication in the cu
 ## Configure OPC UA transport authentication
 OPC UA transport authentication requires you to configure the following items:
 - The OPC UA X.509 client transport certificate to be used for transport authentication and encryption.  Currently, this certificate is an application certificate used for all transport in OPC UA Broker.
-- The private key to be used for the authentication and encryption.  Currently, password protected private key files aren't supported. 
+- The private key to be used for the authentication and encryption.  Currently, password protected private key files aren't supported.
 
-In Azure IoT Digital Operations Experience, the first step to set up an asset endpoint requires you to configure the thumbprint of the transport certificate. The following code examples reference the certificate file *./secret/cert.der*.  
+In Azure IoT Digital Operations Experience, the first step to set up an asset endpoint requires you to configure the thumbprint of the transport certificate. The following code examples reference the certificate file *./secret/cert.der* and private key file *./secret/cert.pem*.
+
+To create a sample self-signed certificate for transport authorization with *./secret/cert.der* and *./secret/cert.pem* files, see [Create a self-signed certificate for transport authorization](#create-a-self-signed-certificate-for-transport-authorization).
 
 To complete the configuration of an asset endpoint in Operations Experience, do the following steps:
 
-1. Configure the transport certificate and private key in Azure Key Vault. In the following example, the file *./secret/cert.der* contains the transport certificate and the file *./secret/cert.pem* contains the private key. 
+1. Configure the transport certificate and private key in Azure Key Vault. In the following example, the file *./secret/cert.der* contains the transport certificate and the file *./secret/cert.pem* contains the private key.
+
+    To configure the transport certificate, run the following commands:
 
-    To configure the transport certificate, run the following commands: 
 
-    
     ```bash
     # Upload cert.der Application certificate as secret to Azure Key Vault
     az keyvault secret set \
@@ -61,7 +63,7 @@ To complete the configuration of an asset endpoint in Operations Experience, do
       --file ./secret/cert.der \
       --encoding hex \
       --content-type application/pkix-cert
-    
+
     # Upload cert.pem private key as secret to Azure Key Vault
     az keyvault secret set \
       --name "aio-opc-opcua-connector-pem" \
@@ -70,8 +72,8 @@ To complete the configuration of an asset endpoint in Operations Experience, do
       --encoding hex \
       --content-type application/x-pem-file
     ```
-    
-1. Configure the secret provider class `aio-opc-ua-broker-client-certificate` custom resource (CR) in the connected cluster. Use a K8s client such as kubectl to configure the secrets `aio-opc-opcua-connector-der` and `aio-opc-opcua-connector-pem` in the SPC object array in the connected cluster. 
+
+2. Configure the secret provider class `aio-opc-ua-broker-client-certificate` custom resource (CR) in the connected cluster. Use a K8s client such as kubectl to configure the secrets `aio-opc-opcua-connector-der` and `aio-opc-opcua-connector-pem` in the SPC object array in the connected cluster.
 
     The following example shows a complete SPC CR after you added the secret configurations:
 
@@ -185,10 +187,18 @@ Before you can configure secrets for the username and password, you need to comp
 
     ```bash
     # Create username Secret in Azure Key Vault
-      az keyvault secret set --name "username" --vault-name <azure-key-vault-name> --value "user1" --content-type "text/plain"
-        
+      az keyvault secret set \
+        --name "username" \
+        --vault-name <azure-key-vault-name> \
+        --value "user1" \
+        --content-type "text/plain"
+
     # Create password Secret in Azure Key Vault
-      az keyvault secret set --name "password" --vault-name <azure-key-vault-name> --value "password" --content-type "text/plain"
+      az keyvault secret set \
+        --name "password" \
+        --vault-name <azure-key-vault-name> \
+        --value "password" \
+        --content-type "text/plain"
     ```
 
 1. Configure the secret provider class `aio-opc-ua-broker-user-authentication` custom resource (CR) in the connected cluster. Use a K8s client such as kubectl to configure the secrets (`username` and `password`, in the following example) in the SPC object array in the connected cluster.
diff --git a/articles/iot-operations/manage-devices-assets/howto-manage-assets-remotely.md b/articles/iot-operations/manage-devices-assets/howto-manage-assets-remotely.md
@@ -78,34 +78,24 @@ When the OPC PLC simulator is running, data flows from the simulator, to the con
 
 ### Configure an asset endpoint to use a username and password
 
-The previous example uses the `Anonymous` authentication mode. This mode doesn't require a username or password. If you want to use the `UsernamePassword` authentication mode, you must configure the asset endpoint accordingly.
+The previous example uses the `Anonymous` authentication mode. This mode doesn't require a username or password.
 
-The following script shows how to create a secret for the username and password and add it to the Kubernetes store:
+To use the `UsernamePassword` authentication mode, complete the following steps:
 
-```sh
-# NAMESPACE is the namespace containing the MQ broker.
-export NAMESPACE="azure-iot-operations"
-
-# Set the desired username and password here.
-export USERNAME="username"
-export PASSWORD="password"
-
-echo "Storing k8s username and password generic secret..."
-kubectl create secret generic opc-ua-connector-secrets --from-literal=username=$USERNAME --from-literal=password=$PASSWORD --namespace $NAMESPACE
-```
-
-To configure the asset endpoint to use these secrets, select **Username & password** for the **User authentication** field. Then enter the following values for the **Username reference** and **Password reference** fields:
+1. Follow the steps in [Configure OPC UA user authentication with username and password](howto-configure-opcua-authentication-options.md#configure-opc-ua-user-authentication-with-username-and-password) to add secrets for username and password in Azure Key Vault, and project them into Kubernetes cluster.
+2. In Azure IoT Operations portal, select **Username & password** for the **User authentication** field to configure the asset endpoint to use these secrets. Then enter the following values for the **Username reference** and **Password reference** fields:
 
 | Field | Value |
 | --- | --- |
-| Username reference | `@@sec_k8s_opc-ua-connector-secrets/username` |
-| Password reference | `@@sec_k8s_opc-ua-connector-secrets/password` |
-
-The following example YAML file shows the configuration for an asset endpoint that uses the `UsernamePassword` authentication mode. The configuration references the secret you created previously:
+| Username reference | `aio-opc-ua-broker-user-authentication/username` |
+| Password reference | `aio-opc-ua-broker-user-authentication/password` |
 
 ### Configure an asset endpoint to use a transport authentication certificate
 
-To configure the asset endpoint to use a transport authentication certificate, select **Use transport authentication certificate** for the **Transport authentication** field. Then enter the certificate thumbprint and the certificate password reference.
+To configure the asset endpoint to use a transport authentication certificate, complete the following steps:
+
+1. Follow the steps in [Configure OPC UA transport authentication](howto-configure-opcua-authentication-options.md#configure-opc-ua-transport-authentication) to add a transport certificate and private key to Azure Key Vault, and project them into Kubernetes cluster.
+2. In Azure IoT Operations portal, select **Use transport authentication certificate** for the **Transport authentication** field and enter the certificate thumbprint.
 
 ## Add an asset, tags, and events
 
