From f548d9e33c45bb21bf0c4c6b6e4aae9e9cc45340 Mon Sep 17 00:00:00 2001
From: Maarten de Waard <maarten@greenhost.nl>
Date: Tue, 13 Jul 2021 15:38:33 +0200
Subject: [PATCH] update security.rst

---
 docs/conf.py      |  3 ++-
 docs/security.rst | 34 ++++++++++++++++++++--------------
 2 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/docs/conf.py b/docs/conf.py
index c36ddd4c3..ad6133c98 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -31,7 +31,8 @@ with open('../VERSION') as version_file:
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
-    'recommonmark'
+    'recommonmark',
+    'sphinx.ext.autosectionlabel'
 ]
 
 # Add any paths that contain templates here, relative to this directory.
diff --git a/docs/security.rst b/docs/security.rst
index d6d5b9cfb..3dbb4ebf6 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -5,23 +5,29 @@ Security
 Access control
 ==============
 
-By default, the resources of your OAS cluster will be exposed to the whole
-internet (although they are password protected by the single-sign-on system).
+By default, the applications on your OAS cluster will be exposed to the whole
+internet (although they are password protected).
+
 If you like to limit who can access your cluster resources you can configure
 the OAS ingress (`ingress-nginx <https://kubernetes.github.io/ingress-nginx>`__)
 to only accept connections from a certain IP address or range.
-Add a file in the ``CLUSTER_DIR/group_vars/all/`` directory, i.e. named
-``ingress.yml`` with the following content:
 
-.. code-block:: yaml
+Follow the :ref:`Customize OAS applications` instructions, but use the following
+secret as ``install/overrides/oas-nginx-override.yml`` and apply the secret in
+the ``oas`` namespace instead of ``oas-apps``. Replace the source range with the
+IP address ranges you want to allow.
 
-  ingress_extra_values:
-    controller:
-      config:
-        # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
-        # comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1.
-        whitelist-source-range: 1.2.3.4/24
+.. code-block:: yaml
 
-After this, run the
-`Openappstack installation procedure <installation_instructions.html#step-4-installation>`__
-again.
+   ---
+   apiVersion: v1
+   kind: secret
+   metadata:
+     name: oas-nginx-override
+   data:
+     values.yaml: |
+       controller:
+         config:
+           # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
+           # comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1.
+           whitelist-source-range: 1.2.3.4/24
-- 
GitLab