Merge pull request #289707 from MicrosoftDocs/repo_sync_working_branch

Daidihuang · web-flow · commit e830a3a21133 · 2024-11-02T05:56:09.000+08:00
Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-docs (branch main)
diff --git a/articles/iot-operations/secure-iot-ops/concept-default-root-ca.md b/articles/iot-operations/secure-iot-ops/concept-default-root-ca.md
@@ -84,3 +84,54 @@ To help you get started, Azure IoT Operations Preview is deployed with a default
         status: "True" 
         type: Ready 
     ```
+## Bring your own issuer
+
+For production deployments, we recommend that you set up Azure IoT Operations with an enterprise PKI to manage certificates and that you bring your own issuer which works with your enterprise PKI instead of using the default self-signed issuer to issue TLS certificates for internal communication.
+To set up Azure IoT Operations with your own issuer, use the following steps before deploying an instance to your cluster:
+
+1. Follow the steps in [Prepare your cluster](../deploy-iot-ops/howto-prepare-cluster.md) to set up your cluster.
+  
+1. Install [cert-manager](https://cert-manager.io/docs/installation/).
+  Cert-manager manages TLS certificates.
+
+1. Install [trust-manager](https://cert-manager.io/docs/trust/trust-manager/installation/).
+   While installing trust manager, set the `trust namespace` to cert-manager. For example:
+
+      ```bash
+      helm upgrade trust-manager jetstack/trust-manager --install --namespace cert-manager --set app.trust.namespace=cert-manager --wait
+      ```
+   
+      Trust-manager is used to distribute a trust bundle to components.
+  
+1. Create the Azure IoT Operations namespace.
+  
+    ```bash
+    kubectl create namespace azure-iot-operations
+    ```
+
+1. Deploy an issuer that works with cert-manager. For a list of all supported issuers, see [cert-manager issuers](https://cert-manager.io/docs/configuration/issuers/).
+
+   The issuer can be of type `ClusterIssuer` or `Issuer`. If using `Issuer`, the issuer resource must be created in the Azure IoT Operations namespace.
+
+1. Set up trust bundle in the Azure IoT Operations namespace.
+
+   1. To set up trust bundle, create a ConfigMap in the Azure IoT Operations namespace. Place the public key portion of your CA certificate into the config map with a key name of your choice.
+   1. Get the public key portion of your CA certificate. The steps to acquire the public key depend on the issuer you have chosen.
+   1. Create the ConfigMap. For example:
+
+      ```bash
+      kubectl create configmap -n azure-iot-operations <YOUR_CONFIGMAP_NAME> --from-file=<CA_CERTIFICATE_FILENAME_PEM_OR_DER>
+      ```
+
+1. Follow steps in [Deploy Azure IoT Operations](../deploy-iot-ops/howto-deploy-iot-operations.md) to deploy, *with a few changes*.
+   1. Add the `--user-trust` parameter while preparing cluster. For example:
+
+      ```bash
+      az iot ops init --subscription <SUBSCRIPTION_ID> --cluster <CLUSTER_NAME>  -g <RESOURCE_GROUP> --user-trust
+      ```
+     
+   2.  Add the `--trust-settings` parameter with the necessary information while deploying Azure IoT Operations. For example:
+
+      ```bash
+      az iot ops create --subscription <SUBSCRIPTION_ID> -g <RESOURCE_GROUP> --cluster <CLUSTER_NAME> --custom-location <CUSTOME_LOCATION> -n <iNSTANCE_NAME> --sr-resource-id <SCHEMAREGISTRY_RESOURCE_ID> --trust-settings configMapName=<CONFIGMAP_NAME> configMapKey=<CONFIGMAP_KEY_WITH_PUBLICKEY_VALUE> issuerKind=<CLUSTERISSUER_OR_ISSUER> issuerName=<ISSUER_NAME>
+      ```
