Merge pull request #47635 from abrennan89/securityabstracts

[SRVCOM-1832]: Update abstracts for Jupiter requirements

Author: abrennan89

_topic_maps/_topic_map.yml

@@ -3508,8 +3508,6 @@ Topics:
     File: serverless-ossm-with-kourier-jwt
   - Name: Configuring a custom domain for a Knative service
     File: serverless-custom-domains
-  - Name: Using a custom TLS certificate for domain mapping
-    File: serverless-custom-tls-cert-domain-mapping
 # Functions
 - Name: Functions
   Dir: functions

_topic_maps/_topic_map_osd.yml

@@ -311,8 +311,6 @@ Topics:
     File: serverless-ossm-with-kourier-jwt
   - Name: Configuring a custom domain for a Knative service
     File: serverless-custom-domains
-  - Name: Using a custom TLS certificate for domain mapping
-    File: serverless-custom-tls-cert-domain-mapping
 - Name: Functions
   Dir: functions
   Topics:

_topic_maps/_topic_map_rosa.yml

@@ -422,8 +422,6 @@ Topics:
     File: serverless-ossm-with-kourier-jwt
   - Name: Configuring a custom domain for a Knative service
     File: serverless-custom-domains
-  - Name: Using a custom TLS certificate for domain mapping
-    File: serverless-custom-tls-cert-domain-mapping
 - Name: Functions
   Dir: functions
   Topics:

modules/serverless-create-domain-mapping-kn.adoc

@@ -7,11 +7,7 @@
 [id="serverless-create-domain-mapping-kn_{context}"]
 = Creating a custom domain mapping by using the Knative CLI
 
-You can use the `kn` CLI to create a `DomainMapping` custom resource (CR) that maps to an Addressable target CR, such as a Knative service or a Knative route.
-
-The `--ref` flag specifies an Addressable target CR for domain mapping.
-
-If a prefix is not provided when using the `--ref` flag, it is assumed that the target is a Knative service in the current namespace. The examples in the following procedure show the prefixes for mapping to a Knative service or a Knative route.
+You can customize the domain for your Knative service by mapping a custom domain name that you own to a Knative service. You can use the Knative (`kn`) CLI to create a `DomainMapping` custom resource (CR) that maps to an Addressable target CR, such as a Knative service or a Knative route.
 
 .Prerequisites
 
@@ -39,6 +35,10 @@ $ kn domain create <domain_mapping_name> --ref <target_name>
 ----
 $ kn domain create example.com --ref example-service
 ----
++
+The `--ref` flag specifies an Addressable target CR for domain mapping.
++
+If a prefix is not provided when using the `--ref` flag, it is assumed that the target is a Knative service in the current namespace.
 
 * Map a domain to a Knative service in a specified namespace:
 +

modules/serverless-create-domain-mapping.adoc

@@ -6,7 +6,7 @@
 [id="serverless-create-domain-mapping_{context}"]
 = Creating a custom domain mapping
 
-To map a custom domain name to a custom resource (CR), you must create a `DomainMapping` CR that maps to an Addressable target CR, such as a Knative service or a Knative route.
+You can customize the domain for your Knative service by mapping a custom domain name that you own to a Knative service. To map a custom domain name to a custom resource (CR), you must create a `DomainMapping` CR that maps to an Addressable target CR, such as a Knative service or a Knative route.
 
 .Prerequisites
 

modules/serverless-domain-mapping-custom-tls-cert.adoc

@@ -1,12 +1,12 @@
 // Module included in the following assemblies:
 //
-// * serverless/security/serverless-custom-tls-cert-domain-mapping.adoc
+// * serverless/security/serverless-custom-domains.adoc
 
 :_content-type: PROCEDURE
 [id="serverless-domain-mapping-custom-tls-cert_{context}"]
-= Adding a custom TLS certificate to a DomainMapping CR
+= Securing a service with a custom domain by using a TLS certificate
 
-You can add an existing TLS certificate with a `DomainMapping` custom resource (CR) to secure the mapped service.
+After you have configured a custom domain for a Knative service, you can use a TLS certificate to secure the mapped service. To do this, you must create a Kubernetes TLS secret, and then update the `DomainMapping` CR to use the TLS secret that you have created.
 
 .Prerequisites
 
@@ -27,7 +27,7 @@ You can add an existing TLS certificate with a `DomainMapping` custom resource (
 $ oc create secret tls <tls_secret_name> --cert=<path_to_certificate_file> --key=<path_to_key_file>
 ----
 
-. Update the `DomainMapping` CR to use the TLS secret you have created:
+. Update the `DomainMapping` CR to use the TLS secret that you have created:
 +
 [source,yaml]
 ----

modules/serverless-domain-mapping-odc-admin.adoc

@@ -6,6 +6,8 @@
 [id="serverless-domain-mapping-odc-admin_{context}"]
 = Mapping a custom domain to a service by using the Administrator perspective
 
+include::snippets/serverless-domain-mapping.adoc[]
+
 ifdef::openshift-enterprise[]
 If you have cluster administrator permissions, you can create a `DomainMapping` custom resource (CR) by using the *Administrator* perspective in the {product-title} web console.
 endif::[]

modules/serverless-domain-mapping-odc-developer.adoc

@@ -6,7 +6,7 @@
 [id="serverless-domain-mapping-odc-developer_{context}"]
 = Mapping a custom domain to a service by using the Developer perspective
 
-You can use the *Developer* perspective of the {product-title} web console to map a `DomainMapping` custom resource (CR) to a Knative service.
+You can customize the domain for your Knative service by mapping a custom domain name that you own to a Knative service. You can use the *Developer* perspective of the {product-title} web console to map a `DomainMapping` custom resource (CR) to a Knative service.
 
 .Prerequisites
 

modules/serverless-ossm-enable-sidecar-injection-with-kourier.adoc

@@ -6,16 +6,52 @@
 [id="serverless-ossm-v1x-jwt_{context}"]
 = Using JSON Web Token authentication with {SMProductShortName} 1.x and {ServerlessProductName}
 
-You can use the following procedure to enable using JSON Web Token authentication with {SMProductShortName} 1.x and {ServerlessProductName}.
+You can use JSON Web Token (JWT) authentication with Knative services by using {SMProductShortName} 1.x and {ServerlessProductName}. To do this, you must create a policy in the application namespace that is a member of the `ServiceMeshMemberRoll` object. You must also enable sidecar injection for the service.
+
+[IMPORTANT]
+====
+Adding sidecar injection to pods in system namespaces, such as `knative-serving` and `knative-serving-ingress`, is not supported when Kourier is enabled.
+
+ifdef::openshift-enterprise[]
+If you require sidecar injection for pods in these namespaces, see the {ServerlessProductName} documentation on _Integrating {SMProductShortName} with {ServerlessProductName} natively_.
+endif::[]
+====
 
 .Prerequisites
 
-* You have installed the {ServerlessOperatorName} and Knative Serving.
+* You have installed the {ServerlessOperatorName}, Knative Serving, and {SMProductName} on your cluster.
 * Install the OpenShift CLI (`oc`).
 * You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in {product-title}.
 
 .Procedure
 
+. Add the `sidecar.istio.io/inject="true"` annotation to your service:
++
+.Example service
+[source,yaml]
+----
+apiVersion: serving.knative.dev/v1
+kind: Service
+metadata:
+  name: <service_name>
+spec:
+  template:
+    metadata:
+      annotations:
+        sidecar.istio.io/inject: "true" <1>
+        sidecar.istio.io/rewriteAppHTTPProbers: "true" <2>
+...
+----
+<1> Add the `sidecar.istio.io/inject="true"` annotation.
+<2> You must set the annotation `sidecar.istio.io/rewriteAppHTTPProbers: "true"` in your Knative service, because {ServerlessProductName} versions 1.14.0 and higher use an HTTP probe as the readiness probe for Knative services by default.
+
+. Apply the `Service` resource:
++
+[source,terminal]
+----
+$ oc apply -f <filename>
+----
+
 . Create a policy in a serverless application namespace which is a member in the `ServiceMeshMemberRoll` object, that only allows requests with valid JSON Web Tokens (JWT):
 +
 [IMPORTANT]
@@ -43,6 +79,7 @@ spec:
 ----
 <1> The path on your application to collect metrics by system pod.
 <2> The path on your application to probe by system pod.
+
 . Apply the `Policy` resource:
 +
 [source,terminal]
@@ -64,6 +101,7 @@ $ curl http://hello-example-default.apps.mycluster.example.com/
 ----
 Origin authentication failed.
 ----
+
 . Verify the request with a valid JWT.
 .. Get the valid JWT token:
 +