SONAR-15656 added more documentation about the PKCS11 container

diff --git a/server/sonar-docs/src/pages/setup/operate-cluster.md b/server/sonar-docs/src/pages/setup/operate-cluster.md
index 4d0768894257ec0b0a71db582b908f0e92844f9c..398541291a681fb809838ec6432f6ca3c3298554 100644 (file)
--- a/server/sonar-docs/src/pages/setup/operate-cluster.md
+++ b/server/sonar-docs/src/pages/setup/operate-cluster.md
@@ -155,6 +155,9 @@ Property  | Description | Default | Required
 [[info]]
 | This configuration is optional. To secure access to your setup, you may want to first limit access to the nodes in your network. Elasticsearch authentication just adds another layer of security.
 
+[[warning]]
+| When creating the PKCS#12 container, make sure it is created with an algorithm that is readable by Java 11.
+
 For Elasticsearch authentication, the following properties need to be configured on specific nodes:
 
 #### Application nodes
@@ -171,7 +174,8 @@ Property  | Description | Default | Required
 `sonar.cluster.es.ssl.keystorePassword`|Password to the keystore.| |no
 `sonar.cluster.es.ssl.truststorePassword`|Password to the truststore.| | no
 
-When you're using Docker image, truststore and keystore should be provided as volumes.
+When you're using the SonarSource Docker images, the truststore/keystore should be provided as volumes. 
+On Kubernetes, you need to create a new Secret from the truststore/keystore and provide the name to the Helm chart.
 
 ## Limitations
 * Cluster downtime is required for SonarQube upgrades or plugin installations.
@@ -189,3 +193,6 @@ Yes, but it's best to have one machine for each node to be resilient to failures
 
 ### Can the members of a cluster be discovered automatically? 
 No, all nodes must be configured in _$SONARQUBE-HOME/conf/sonar.properties_
+
+### My keystore/truststore cannot be read by SonarQube
+Make sure that the keystore/truststore in question was generated with an algorithm that is known to Java 11. See [JDK-8267599](https://bugs.openjdk.java.net/browse/JDK-8267599) for reference
\ No newline at end of file

diff --git a/server/sonar-docs/src/pages/setup/sonarqube-cluster-on-kubernetes.md b/server/sonar-docs/src/pages/setup/sonarqube-cluster-on-kubernetes.md
index 349b90deee6a9c83f2f4a532d28e12d4c948fd7c..6dfa809e7e7144ee32e2a88267990366fe607ca0 100644 (file)
--- a/server/sonar-docs/src/pages/setup/sonarqube-cluster-on-kubernetes.md
+++ b/server/sonar-docs/src/pages/setup/sonarqube-cluster-on-kubernetes.md
@@ -141,6 +141,15 @@ With JSON Logging enabled, you can define a LogQL Query like this to filter only
 {namespace="sonarqube-dce", app="sonarqube-dce"}| json | severity="ERROR" | line_format "{{.nodename}} {{.message}}"
 ```
 
+### ES Cluster Authentication
+
+Since SonarQube 8.9, you can enable basic security for the Search Cluster in SonarQube. To benefit from this additional layer of security on Kubernetes as well, you need to provide a PKCS#11 Container with the required certificates to our Helm chart.
+The required secret can be created like this: 
+
+```bash
+kubectl create secret generic <NAME OF THE SECRET> --from-file=/PATH/TO/YOUR/PKCS12.container=elastic-stack-ca.p12 -n <NAMESPACE>
+```
+
 ### Other Configuration Options
 
 This documentation only contains the most important Helm chart customizations. See the [Customize the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing) documentation and the Helm chart [README](https://github.com/SonarSource/helm-chart-sonarqube/tree/master/charts/sonarqube-dce) for more possibilities on customizing the Helm chart.