From 3c62cf6849278ba9f3a590db336738d04382927c Mon Sep 17 00:00:00 2001
From: Juanita Balaraj <juanita.balaraj@windriver.com>
Date: Thu, 17 Aug 2023 22:54:36 +0000
Subject: [PATCH] Updated Limitation and Workaround for using IPv6 addresses in
 Cert management (r6, dsr6)

Fixed formatting errors
Change-Id: I2c1cc4b1f17982656d75061141f88af63920a0fb
Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
---
 .../kubernetes/https-access-overview.rst      | 48 +++++++++++++++++++
 ...kubernetes-user-tutorials-cert-manager.rst | 48 +++++++++++++++++++
 2 files changed, 96 insertions(+)

diff --git a/doc/source/security/kubernetes/https-access-overview.rst b/doc/source/security/kubernetes/https-access-overview.rst
index 7c7a9b2a7..c79b6bbcd 100644
--- a/doc/source/security/kubernetes/https-access-overview.rst
+++ b/doc/source/security/kubernetes/https-access-overview.rst
@@ -111,3 +111,51 @@ In addition, |prod| monitors the installed certificates on the system by raising
 alarms for expire-soon certificates and for expired certificates on the system,
 see :ref:`Expiring-Soon and Expired Certificate Alarms
 <alarm-expiring-soon-and-expired-certificates-baf5b8f73009>`.
+
+---------------------------------------------------------------------------
+Limitations for using IPv6 addresses related to management and OAM networks
+---------------------------------------------------------------------------
+
+Cert-manager accepts only short-hand IPv6 addresses. 
+
+**Workaround**: You must use the following rules when defining IPv6 addresses
+to be used by Cert-manager. 
+
+-  all letters must be in lower case
+
+-  each group of hexadecimal values must not have any leading 0s
+   (use :12: instead of :0012:)
+
+-  the longest sequence of consecutive all-zero fields must be short-handed
+   with ``::``
+    
+-  ``::`` must not be used to short-hand an IPv6 address with 7 groups of hexadecimal
+    values, use :0: instead of ``::``
+
+.. note::
+
+    Use the rules above to set the IPv6 address related to the management
+    and |OAM| network in the Ansible bootstrap overrides file, ``localhost.yml``.
+    
+.. code-block:: none
+
+    apiVersion: cert-manager.io/v1alpha2
+    kind: Certificate
+    metadata:
+    name: oidc-auth-apps-certificate
+    namespace: pvtest
+    spec:
+    duration: 1h
+    renewBefore: 55m
+    secretName: oidc-auth-apps-certificate
+    dnsNames:
+    - ahost.com
+    ipAddresses:
+    - 2620:10a:a001:a103::11
+    organization:
+    - WRCP-System
+    issuerRef:
+        name: cloudplatform-interca-issuer
+        kind: Issuer
+    controller-0:~$
+
diff --git a/doc/source/usertasks/kubernetes/kubernetes-user-tutorials-cert-manager.rst b/doc/source/usertasks/kubernetes/kubernetes-user-tutorials-cert-manager.rst
index 6e328278c..c790a87b5 100644
--- a/doc/source/usertasks/kubernetes/kubernetes-user-tutorials-cert-manager.rst
+++ b/doc/source/usertasks/kubernetes/kubernetes-user-tutorials-cert-manager.rst
@@ -158,3 +158,51 @@ service externally.  There are typically two options:
     <internal-ca-and-nodeport-example-2afa2a84603a>` section for an example of
     how to configure an application to use NodePort to expose its self-managed
     |TLS|-based service and to use an Internal |CA| for signing CERTIFICATEs.
+
+---------------------------------------------------------------------------
+Limitations for using IPv6 addresses related to management and OAM networks
+---------------------------------------------------------------------------
+
+Cert-manager accepts only short-hand IPv6 addresses. 
+
+**Workaround**: You must use the following rules when defining IPv6 addresses
+to be used by Cert-manager. 
+
+-  all letters must be in lower case
+
+-  each group of hexadecimal values must not have any leading 0s
+   (use :12: instead of :0012:)
+
+-  the longest sequence of consecutive all-zero fields must be short-handed
+   with ``::``
+    
+-  ``::`` must not be used to short-hand an IPv6 address with 7 groups of hexadecimal
+    values, use :0: instead of ``::``
+
+.. note::
+
+    Use the rules above to set the IPv6 address related to the management
+    and |OAM| network in the Ansible bootstrap overrides file, ``localhost.yml``.
+    
+.. code-block:: none
+
+    apiVersion: cert-manager.io/v1alpha2
+    kind: Certificate
+    metadata:
+    name: oidc-auth-apps-certificate
+    namespace: pvtest
+    spec:
+    duration: 1h
+    renewBefore: 55m
+    secretName: oidc-auth-apps-certificate
+    dnsNames:
+    - ahost.com
+    ipAddresses:
+    - 2620:10a:a001:a103::11
+    organization:
+    - WRCP-System
+    issuerRef:
+        name: cloudplatform-interca-issuer
+        kind: Issuer
+    controller-0:~$
+