update security.rst

f548d9e3 · Maarten de Waard · c2395857 · f548d9e3 · f548d9e3
Verified Commit f548d9e3 authored 3 years ago by Maarten de Waard
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -31,7 +31,8 @@ with open('../VERSION') as version_file:
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
-    'recommonmark'
+    'recommonmark',
+    'sphinx.ext.autosectionlabel'
 ]

 # Add any paths that contain templates here, relative to this directory.

--- a/docs/security.rst
+++ b/docs/security.rst
@@ -5,23 +5,29 @@ Security
 Access control
 ==============

-By default, the resources of your OAS cluster will be exposed to the whole
-internet (although they are password protected by the single-sign-on system).
+By default, the applications on your OAS cluster will be exposed to the whole
+internet (although they are password protected).
+
 If you like to limit who can access your cluster resources you can configure
 the OAS ingress (`ingress-nginx <https://kubernetes.github.io/ingress-nginx>`__)
 to only accept connections from a certain IP address or range.
-Add a file in the ``CLUSTER_DIR/group_vars/all/`` directory, i.e. named
-``ingress.yml`` with the following content:

-.. code-block:: yaml
+Follow the :ref:`Customize OAS applications` instructions, but use the following
+secret as ``install/overrides/oas-nginx-override.yml`` and apply the secret in
+the ``oas`` namespace instead of ``oas-apps``. Replace the source range with the
+IP address ranges you want to allow.

-  ingress_extra_values:
-    controller:
-      config:
-        # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
-        # comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1.
-        whitelist-source-range: 1.2.3.4/24
+.. code-block:: yaml

-After this, run the
-`Openappstack installation procedure <installation_instructions.html#step-4-installation>`__
-again.
+   ---
+   apiVersion: v1
+   kind: secret
+   metadata:
+     name: oas-nginx-override
+   data:
+     values.yaml: |
+       controller:
+         config:
+           # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
+           # comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1.
+           whitelist-source-range: 1.2.3.4/24