OCPBUGS-22844: Added pk12util tool command to the nw-ovn-ipsec-north-south-enable.adoc doc

Author: dfitzmau

modules/nw-ovn-ipsec-north-south-enable.adoc

@@ -18,8 +18,8 @@ After you apply the machine config, the Machine Config Operator reboots affected
 * Install the {oc-first}.
 * You have installed the `butane` utility on your local computer.
 * You have installed the NMState Operator on the cluster.
-* You are logged in to the cluster as a user with `cluster-admin` privileges.
-* You have an existing PKCS#12 certificate for the IPsec endpoint and a CA cert in PEM format.
+* You logged in to the cluster as a user with `cluster-admin` privileges.
+* You have an existing PKCS#12 certificate for the IPsec endpoint and a CA cert in Privacy Enhanced Mail (PEM) format.
 * You enabled IPsec in either `Full` or `External` mode on your cluster.
 * The OVN-Kubernetes network plugin must be configured in local gateway mode, where `ovnKubernetesConfig.gatewayConfig.routingViaHost=true`.
 
@@ -33,7 +33,7 @@ After you apply the machine config, the Machine Config Operator reboots affected
 $ oc get nodes
 ----
 
-.. Create a file named `ipsec-config.yaml` that contains a node network configuration policy for the NMState Operator, such as in the following examples. For an overview about `NodeNetworkConfigurationPolicy` objects, see link:https://nmstate.io/kubernetes-nmstate/[The Kubernetes NMState project].
+.. Create a file named `ipsec-config.yaml` that has a node network configuration policy for the NMState Operator, such as in the following examples. For an overview about `NodeNetworkConfigurationPolicy` objects, see link:https://nmstate.io/kubernetes-nmstate/[The Kubernetes NMState project].
 +
 --
 .Example NMState IPsec transport configuration
@@ -63,10 +63,10 @@ spec:
         ikev2: insist
         type: transport
 ----
-<1> Specifies the host name to apply the policy to. This host serves as the left side host in the IPsec configuration.
+<1> Specifies the hostname to apply the policy to. This host serves as the left side host in the IPsec configuration.
 <2> Specifies the name of the interface to create on the host.
-<3> Specifies the host name of the cluster node that terminates the IPsec tunnel on the cluster side. The name should match SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
-<4> Specifies the external host name, such as `host.example.com`. The name should match the SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
+<3> Specifies the hostname of the cluster node that terminates the IPsec tunnel on the cluster side. The name should match SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
+<4> Specifies the external hostname, such as `host.example.com`. The name should match the Storage Area Network (SAN) `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
 <5> Specifies the IP address of the external host, such as `10.1.2.3/32`.
 
 .Example NMState IPsec tunnel configuration
@@ -96,10 +96,10 @@ spec:
         ikev2: insist
         type: tunnel
 ----
-<1> Specifies the host name to apply the policy to. This host serves as the left side host in the IPsec configuration.
+<1> Specifies the hostname to apply the policy to. This host serves as the left side host in the IPsec configuration.
 <2> Specifies the name of the interface to create on the host.
-<3> Specifies the host name of the cluster node that terminates the IPsec tunnel on the cluster side. The name should match SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
-<4> Specifies the external host name, such as `host.example.com`. The name should match the SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
+<3> Specifies the hostname of the cluster node that terminates the IPsec tunnel on the cluster side. The name should match SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
+<4> Specifies the external hostname, such as `host.example.com`. The name should match the SAN `[Subject Alternate Name]` from your supplied PKCS#12 certificates.
 <5> Specifies the IP address of the external host, such as `10.1.2.3/32`.
 --
 
@@ -110,16 +110,23 @@ spec:
 $ oc create -f ipsec-config.yaml
 ----
 
-. Provide the following certificate files to add to the Network Security Services (NSS) database on each host. These files are imported as part of the Butane configuration in subsequent steps.
+. Give the following certificate files to add to the Network Security Services (NSS) database on each host. These files are imported as part of the Butane configuration in the next steps.
 +
 --
 * `left_server.p12`: The certificate bundle for the IPsec endpoints
 * `ca.pem`: The certificate authority that you signed your certificates with
 --
 
 . Create a machine config to add your certificates to the cluster:
-
-.. To create Butane config files for the control plane and worker nodes, enter the following command:
++
+.. Use the `pk12util` tool, which comes prepackaged with {op-system-base-full}, to specify a password that protects `PKCS#12` files by entering the following command. Ensure that you replace the `<password>` value with your password.
++
+[source,terminal]
+----
+$ pk12util -W "<password>" -i /etc/pki/certs/left_server.p12 -d /var/lib/ipsec/nss/
+----
++
+.. To create Butane config files for the control plane and compute nodes, enter the following command:
 +
 [NOTE]
 ====
@@ -178,8 +185,8 @@ $ for role in master worker; do
 EOF
 done
 ----
-
-.. To transform the Butane files that you created in the previous step into machine configs, enter the following command:
++
+.. To transform the Butane files that you created in the earlier step into machine configs, enter the following command:
 +
 [source,terminal]
 ----
@@ -217,6 +224,7 @@ By default, the MCO updates one machine per pool at a time, causing the total ti
 ====
 
 . To confirm that IPsec machine configs rolled out successfully, enter the following commands:
++
 .. Confirm that the IPsec machine configs were created:
 +
 [source,terminal]
@@ -230,7 +238,7 @@ $ oc get mc | grep ipsec
 80-ipsec-master-extensions        3.2.0        6d15h
 80-ipsec-worker-extensions        3.2.0        6d15h
 ----
-
++
 .. Confirm that the that the IPsec extension are applied to control plane nodes:
 +
 [source,terminal]
@@ -243,8 +251,8 @@ $ oc get mcp master -o yaml | grep 80-ipsec-master-extensions -c
 ----
 2
 ----
-
-.. Confirm that the that the IPsec extension are applied to worker nodes:
++
+.. Confirm that the IPsec extension are applied to compute nodes:
 +
 [source,terminal]
 ----