openshift · stevsmit · Oct 27, 2022 · Aug 25, 2022
diff --git a/modules/ossm-threescale-applying-external-service-entry-objects.adoc b/modules/ossm-threescale-applying-external-service-entry-objects.adoc
@@ -6,21 +6,22 @@
 [id="ossm-threescale-applying-external-service-entry-objects_{context}"]
 = Applying 3scale external ServiceEntry objects
 
-To have the `threescale-wasm-auth` module authorize requests against 3scale, the module must have access to 3scale services. You can accomplish this within {SMProductName} and Istio by applying an external `ServiceEntry` object.
+To have the `threescale-wasm-auth` module authorize requests against 3scale, the module must have access to 3scale services. You can do this within {SMProductName} by applying an external `ServiceEntry` object and a corresponding `DestinationRule` object for TLS configuration to use the HTTPS protocol.
 
-The custom resources set up the service entries for access from within {SMProductShortName} to 3scale Hosted (SaaS) for the backend and system components of the Service Management API and the Account Management API. The Service Management API receives queries for the authorization status of each request. The Account Management API provides API management configuration settings for your services.
+The custom resources (CRs) set up the service entries and destination rules for secure access from within {SMProductShortName} to 3scale Hosted (SaaS) for the backend and system components of the Service Management API and the Account Management API. The Service Management API receives queries for the authorization status of each request. The Account Management API provides API management configuration settings for your services.
 
 .Procedure
 
-* Apply the following external `ServiceEntry` custom resources to your cluster:
+. Apply the following external `ServiceEntry` CR and related `DestinationRule` CR for 3scale Hosted *backend* to your cluster:
+.. Add the `ServiceEntry` CR to a file called `service-entry-threescale-saas-backend.yml`:
 +
-.Custom resource for 3scale Hosted backend
+.ServiceEntry CR
 [source,terminal]
 ----
 apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
-  name: threescale-saas-backend
+  name: service-entry-threescale-saas-backend
 spec:
   hosts:
   - su1.3scale.net
@@ -31,14 +32,47 @@ spec:
   location: MESH_EXTERNAL
   resolution: DNS
 ----
+.. Add the `DestinationRule` CR to a file called `destination-rule-threescale-saas-backend.yml`:
 +
-.Custom resource for 3scale Hosted system
+.DestinationRule CR
+[source,terminal]
+----
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: destination-rule-threescale-saas-backend
+spec:
+  host: su1.3scale.net
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+      sni: su1.3scale.net
+----
+
+.. Apply and save the external `ServiceEntry` CR for the 3scale Hosted backend to your cluster, by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f service-entry-threescale-saas-backend.yml
+----
+
+.. Apply and save the external `DestinationRule` CR for the 3scale Hosted backend to your cluster, by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f destination-rule-threescale-saas-backend.yml
+----
+
+. Apply the following external `ServiceEntry` CR and related `DestinationRule` CR for 3scale Hosted *system* to your cluster:
+.. Add the `ServiceEntry` CR to a file called `service-entry-threescale-saas-system.yml`:
++
+.ServiceEntry CR
 [source,terminal]
 ----
 apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
-  name: threescale-saas-system
+  name: service-entry-threescale-saas-system
 spec:
   hosts:
   - multitenant.3scale.net
@@ -49,25 +83,39 @@ spec:
   location: MESH_EXTERNAL
   resolution: DNS
 ----
+.. Add the `DestinationRule` CR to a file called `destination-rule-threescale-saas-system.yml`:
 +
-You can use the `oc apply` command with either of the following methods to apply the objects:
+.DestinationRule CR
+[source,terminal]
+----
+apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: destination-rule-threescale-saas-system
+spec:
+  host: multitenant.3scale.net
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+      sni: multitenant.3scale.net
+----
 
-** Save the objects to one or more files, and then use the following syntax:
+.. Apply and save the external `ServiceEntry` CR for the 3scale Hosted system to your cluster, by running the following command:
 +
 [source,terminal]
 ----
-$ oc apply -f <filename.yml>
+$ oc apply -f service-entry-threescale-saas-system.yml
 ----
 
-** To apply the objects without first saving them to a file, use the following command:
+.. Apply and save the external `DestinationRule` CR for the 3scale Hosted system to your cluster, by running the following command:
 +
 [source,terminal]
 ----
-$ echo -n "<filename.yml>" | oc apply -f -
+$ oc apply -f <destination-rule-threescale-saas-system.yml>
 ----
 
-Alternatively, you can deploy an in-mesh 3scale service. To do this, change the location of these services in the custom resources.
+Alternatively, you can deploy an in-mesh 3scale service. To deploy an in-mesh 3scale service, change the location of the services in the CR by deploying 3scale and linking to the deployment.
 
 [role="_additional-resources"]
 .Additional resources
-* xref:../../service_mesh/v2x/ossm-traffic-manage.adoc#ossm-routing-service-entries_traffic-management[`ServiceEntry` documentation]
+* xref:../../service_mesh/v2x/ossm-traffic-manage.adoc#ossm-routing-service-entries_traffic-management[Service entry and destination rule documentation]