diff --git a/docs/helm-charts/configure-custom-values-envoy.mdx b/docs/helm-charts/configure-custom-values-envoy.mdx
index 57f7b0cd..e3dd2511 100644
--- a/docs/helm-charts/configure-custom-values-envoy.mdx
+++ b/docs/helm-charts/configure-custom-values-envoy.mdx
@@ -9,6 +9,7 @@ displayed_sidebar: docsEnglish
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
+import CertificateManagement from '/src/components/en-us/_certificate-management.mdx';
This document explains how to create your custom values file for the Scalar Envoy chart. If you want to know the details of the parameters, please refer to the [README](https://github.com/scalar-labs/helm-charts/blob/main/charts/envoy/README.md) of the Scalar Envoy chart.
@@ -166,50 +167,7 @@ You can enable TLS in:
- Downstream connections between the client and Scalar Envoy.
- Upstream connections between Scalar Envoy and Scalar products.
-In addition, you have several options from the following two perspectives:
-
-1. Management of private key and certificate files
- 1. Manage your private key and certificate files automatically by using [cert-manager](https://cert-manager.io/docs/).
- - You can reduce maintenance or operation costs. For example, cert-manager automatically renews certificates before they expire and Scalar Helm Chart automatically mounts private key and certificate files on the Scalar product pods.
- - You cannot use a CA that cert-manager does not support. You can see the supported issuer in the [cert-manager documentation](https://cert-manager.io/docs/configuration/issuers/).
- 1. Manage your private key and certificate files manually.
- - You can issue and manage your private key and certificate files by using your preferred method on your own.
- - You can use any certificate even if cert-manager does not support it.
- - You must update secret resources when certificates expire.
-1. Kinds of certificates
- 1. Use a trusted CA (signed certificate by third party).
- - You can use trusted certificates from a third-party certificate issuer.
- - You can encrypt packets.
- - You must pay costs to issue trusted certificates.
- 1. Use self-signed certificates.
- - You can reduce costs to issue certificates.
- - Reliability of certificates is lower than a trusted CA, but you can encrypt packets.
-
-In other words, you have the following four options:
-
-1. Use a self-signed CA with automatic management.
-1. Use a trusted CA with automatic management.
-1. Use a self-signed CA with manual management.
-1. Use a trusted CA with manual management.
-
-You should consider which method you use based on your security requirements. For guidance and related documentation for each method, refer to the following decision tree:
-
-```mermaid
-flowchart TD
- A[Do you want to use
cert-manager to manage your
private key and certificate
files automatically?]
- A -->|Yes, I want to manage my
certificates automatically.| B
- A -->|No, I want to manage my
certificates manually by myself.| C
- B[Do you want to use a
self-signed CA or a trusted CA?]
- C[Do you want to use a
self-signed CA or a trusted CA?]
- B -->|I want to use a
self-signed CA.| D
- B -->|I want to use a
trusted CA.| E
- C -->|I want to use a
self-signed CA.| F
- C -->|I want to use a
trusted CA.| G
- D[See the Use a self-signed
CA with cert-manager to
manage your private key and
certificate files section.]
- E[See the Use a trusted
CA with cert-manager to
manage private key and
certificate files section.]
- F[See the Use your private
key and certificate files
section, and use the self-signed
certificate you generated.]
- G[See the Use your private key
and certificate files section,
and use the trusted certificate
generated by the third party.]
-```
+
#### Enable TLS in downstream connections
diff --git a/docs/helm-charts/configure-custom-values-scalardb-analytics-server.mdx b/docs/helm-charts/configure-custom-values-scalardb-analytics-server.mdx
new file mode 100644
index 00000000..8e622630
--- /dev/null
+++ b/docs/helm-charts/configure-custom-values-scalardb-analytics-server.mdx
@@ -0,0 +1,278 @@
+---
+tags:
+ - Enterprise Option
+displayed_sidebar: docsEnglish
+---
+
+# Configure a custom values file for ScalarDB Analytics server
+
+import CertificateManagement from '/src/components/en-us/_certificate-management.mdx';
+
+This document explains how to create your custom values file for the ScalarDB Analytics server chart. For details on the parameters, see the [README](https://github.com/scalar-labs/helm-charts/blob/main/charts/scalardb-analytics-server/README.md) of the ScalarDB Analytics server chart.
+
+## Required configurations
+
+This section describes the required image, database, and service configurations.
+
+### Image configurations
+
+You must set `scalarDbAnalyticsServer.image.repository`. Be sure to specify the ScalarDB Analytics server container image so that you can pull the image from the container repository.
+
+```yaml
+scalarDbAnalyticsServer:
+ image:
+ repository:
+```
+
+### Database configurations
+
+You must set `scalarDbAnalyticsServer.properties`. For details about configuring the value of this parameter, see [ScalarDB Analytics server configuration](https://scalardb.scalar-labs.com/docs/latest/scalardb-analytics/configuration).
+
+```yaml
+scalarDbAnalyticsServer:
+ properties: |
+ scalar.db.analytics.server.db.url=jdbc:postgresql://localhost:5432/scalardb_analytics
+ scalar.db.analytics.server.db.username=analytics_user
+ scalar.db.analytics.server.db.password=your_secure_password
+```
+
+### Service configurations
+
+You must set `scalarDbAnalyticsServer.service.type` to specify the Service resource type of Kubernetes.
+
+If the ScalarDB Analytics server accepts client requests from inside of the Kubernetes cluster only (for example, if you deploy your client applications on the same Kubernetes cluster as Scalar products), you can set `scalarDbAnalyticsServer.service.type` to `ClusterIP`. This configuration doesn't create any load balancers provided by cloud service providers.
+
+```yaml
+scalarDbAnalyticsServer:
+ service:
+ type: ClusterIP
+```
+
+If you want to use a load balancer provided by a cloud service provider to accept client requests from outside of the Kubernetes cluster, you need to set `scalarDbAnalyticsServer.service.type` to `LoadBalancer`.
+
+```yaml
+scalarDbAnalyticsServer:
+ service:
+ type: LoadBalancer
+```
+
+If you want to configure the load balancer via annotations, you can also set annotations to `scalarDbAnalyticsServer.service.annotations`.
+
+```yaml
+scalarDbAnalyticsServer:
+ service:
+ type: LoadBalancer
+ annotations:
+ service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+ service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+```
+
+## Optional configurations
+
+This section describes the optional configurations.
+
+### Secret configurations (recommended in production environments)
+
+To use environment variables to set some properties (for example, credentials), you can use `scalarDbAnalyticsServer.secretName` to specify the Secret resource that includes some credentials.
+
+For example, you can set credentials for a backend database (`scalar.db.analytics.server.db.username` and `scalar.db.analytics.server.db.password`) by using environment variables, which makes your pods more secure.
+
+```yaml
+scalarDbAnalyticsServer:
+ secretName: "scalardb-analytics-server-credentials-secret"
+```
+
+:::tip
+
+The ScalarDB Analytics server automatically loads configurations from specific environment variables. The naming rule for the environment variables is as follows:
+
+- Capitalize all characters of the property name.
+- Replace periods (`.`) with underscores (`_`).
+
+For example, if you want to set `scalar.db.analytics.server.db.username` and `scalar.db.analytics.server.db.password` via environment variables, you must set environment variables `SCALAR_DB_ANALYTICS_SERVER_DB_USERNAME` and `SCALAR_DB_ANALYTICS_SERVER_DB_PASSWORD`.
+
+In this case, you don't need to set `scalar.db.analytics.server.db.username` and `scalar.db.analytics.server.db.password` in `scalarDbAnalyticsServer.properties`. Setting only the environment variables is enough.
+
+For example, you can create such a secret resource that includes `SCALAR_DB_ANALYTICS_SERVER_DB_USERNAME` and `SCALAR_DB_ANALYTICS_SERVER_DB_PASSWORD` as follows:
+
+```console
+kubectl create secret generic scalardb-analytics-server-credentials-secret \
+ --from-literal=SCALAR_DB_ANALYTICS_SERVER_DB_USERNAME=analytics_user \
+ --from-literal=SCALAR_DB_ANALYTICS_SERVER_DB_PASSWORD=your_secure_password
+```
+
+:::
+
+### SecurityContext configurations (the default value is recommended)
+
+To set SecurityContext and PodSecurityContext for ScalarDB Analytics server pods, you can use `scalarDbAnalyticsServer.securityContext` and `scalarDbAnalyticsServer.podSecurityContext`.
+
+You can configure SecurityContext and PodSecurityContext by using the same syntax as SecurityContext and PodSecurityContext in Kubernetes. For more details on the SecurityContext and PodSecurityContext configurations in Kubernetes, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
+
+```yaml
+scalarDbAnalyticsServer:
+ podSecurityContext:
+ seccompProfile:
+ type: RuntimeDefault
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+```
+
+### TLS configurations (optional based on your environment)
+
+You can enable TLS in:
+
+- The communications between the ScalarDB Analytics server and its client.
+
+
+
+#### Enable TLS
+
+You can enable TLS in all ScalarDB Analytics server connections by using the following configurations:
+
+```yaml
+scalarDbAnalyticsServer:
+ properties: |
+ ...(omit)...
+ scalar.db.analytics.server.tls.enabled=true
+ scalar.db.analytics.server.tls.cert_chain_path=/tls/scalardb-analytics-server/certs/tls.crt
+ scalar.db.analytics.server.tls.private_key_path=/tls/scalardb-analytics-server/certs/tls.key
+ tls:
+ enabled: true
+```
+
+:::note
+
+Based on the specification of the private key and certificate that are created by cert-manager and the specification of this chart, you must set the fixed file path and file name when you enable the TLS feature. Please set the above file paths and file names as is for `scalar.db.analytics.server.tls.cert_chain_path` and `scalar.db.analytics.server.tls.private_key_path`.
+
+:::
+
+
+##### Use your private key and certificate files
+
+You can set your private key and certificate files by using the following configurations:
+
+```yaml
+scalarDbAnalyticsServer:
+ tls:
+ enabled: true
+ caRootCertSecret: "scalardb-analytics-server-tls-ca"
+ certChainSecret: "scalardb-analytics-server-tls-cert"
+ privateKeySecret: "scalardb-analytics-server-tls-key"
+```
+
+In this case, you have to create secret resources that include private key and certificate files for the ScalarDB Analytics server as follows, replacing the contents in the angle brackets as described:
+
+```console
+kubectl create secret generic scalardb-analytics-server-tls-ca --from-file=ca.crt= -n
+kubectl create secret generic scalardb-analytics-server-tls-cert --from-file=tls.crt= -n
+kubectl create secret generic scalardb-analytics-server-tls-key --from-file=tls.key= -n
+```
+
+For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx).
+
+##### Use a trusted CA with cert-manager to manage your private key and certificate files
+
+You can manage your private key and certificate files with cert-manager by using the following configurations, replacing the content in the angle brackets as described:
+
+:::note
+
+* If you want to use cert-manager, you must deploy cert-manager and prepare the `Issuers` resource. For details, see the cert-manager documentation, [Installation](https://cert-manager.io/docs/installation/) and [Issuer Configuration](https://cert-manager.io/docs/configuration/).
+* By default, Scalar Helm Chart creates a `Certificate` resource that satisfies the certificate requirements of Scalar products. The default certificate configuration is recommended, but if you use a custom certificate configuration, you must satisfy the certificate requirements of Scalar products. For details, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx#certificate-requirements).
+
+:::
+
+```yaml
+scalarDbAnalyticsServer:
+ tls:
+ enabled: true
+ certManager:
+ enabled: true
+ issuerRef:
+ name:
+ dnsNames:
+ - server.analytics.scalardb.example.com
+```
+
+In this case, cert-manager issues your private key and certificate files by using your trusted issuer. You don't need to mount your private key and certificate files manually.
+
+##### Use a self-signed CA with cert-manager to manage your private key and certificate files
+
+You can manage your private key and self-signed certificate files with cert-manager by using the following configurations:
+
+:::note
+
+* If you want to use cert-manager, you must deploy cert-manager. For more details on how to deploy cert-manager, see [Installation](https://cert-manager.io/docs/installation/) in the official documentation for cert-manager.
+* By default, Scalar Helm Chart creates a `Certificate` resource that satisfies the certificate requirements of Scalar products. The default certificate configuration is recommended, but if you use a custom certificate configuration, you must satisfy the certificate requirements of Scalar products. See [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.mdx#certificate-requirements).
+
+:::
+
+```yaml
+scalarDbAnalyticsServer:
+ tls:
+ enabled: true
+ certManager:
+ enabled: true
+ selfSigned:
+ enabled: true
+ dnsNames:
+ - server.analytics.scalardb.example.com
+```
+
+In this case, Scalar Helm Charts and cert-manager issue your private key and self-signed certificate files. You don't need to mount your private key and certificate files manually.
+
+##### Set custom authority for TLS communications
+
+You can set the custom authority for TLS communications by using `scalarDbAnalyticsServer.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalarDbAnalyticsServer.tls.certChainSecret`. This chart uses this value for health check requests (`startupProbe` and `livenessProbe`).
+
+```yaml
+scalarDbAnalyticsServer:
+ tls:
+ enabled: true
+ overrideAuthority: "server.analytics.scalardb.example.com"
+```
+
+### Affinity configurations (optional based on your environment)
+
+To control pod deployment by using affinity and anti-affinity in Kubernetes, you can use `scalarDbAnalyticsServer.affinity`.
+
+You can configure affinity and anti-affinity by using the same syntax for affinity and anti-affinity in Kubernetes. For more details on configuring affinity in Kubernetes, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
+
+```yaml
+scalarDbAnalyticsServer:
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: app.kubernetes.io/name
+ operator: In
+ values:
+ - scalardb-analytics-server
+ - key: app.kubernetes.io/app
+ operator: In
+ values:
+ - scalardb-analytics-server
+ topologyKey: kubernetes.io/hostname
+ weight: 50
+```
+
+### Taint and toleration configurations (optional based on your environment)
+
+If you want to control pod deployment by using the taints and tolerations in Kubernetes, you can use `scalarDbAnalyticsServer.tolerations`.
+
+You can configure taints and tolerations by using the same syntax as the tolerations in Kubernetes. For details on configuring tolerations in Kubernetes, see the official Kubernetes documentation [Taints and Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/).
+
+```yaml
+scalarDbAnalyticsServer:
+ tolerations:
+ - effect: NoSchedule
+ key: scalar-labs.com/dedicated-node
+ operator: Equal
+ value: scalardb-analytics-server
+```
diff --git a/docs/helm-charts/configure-custom-values-scalardb-cluster.mdx b/docs/helm-charts/configure-custom-values-scalardb-cluster.mdx
index f4d29e79..a5715baf 100644
--- a/docs/helm-charts/configure-custom-values-scalardb-cluster.mdx
+++ b/docs/helm-charts/configure-custom-values-scalardb-cluster.mdx
@@ -7,6 +7,8 @@ displayed_sidebar: docsEnglish
# Configure a custom values file for ScalarDB Cluster
+import CertificateManagement from '/src/components/en-us/_certificate-management.mdx';
+
This document explains how to create your custom values file for the ScalarDB Cluster chart. For details on the parameters, see the [README](https://github.com/scalar-labs/helm-charts/blob/main/charts/scalardb-cluster/README.md) of the ScalarDB Cluster chart.
## Required configurations
@@ -151,26 +153,7 @@ You can enable TLS in:
- The communications between the ScalarDB Cluster node and clients.
- The communications between all ScalarDB Cluster nodes (the cluster's internal communications).
-In addition, you have several options for certificate management. For more details, see [TLS configurations for Envoy](./configure-custom-values-envoy.mdx#tls-configurations-optional-based-on-your-environment).
-
-You should consider which method you use based on your security requirements. For guidance and related documentation for each method, refer to the following decision tree:
-
-```mermaid
-flowchart TD
- A[Do you want to use
cert-manager to manage your
private key and certificate
files automatically?]
- A -->|Yes, I want to manage my
certificates automatically.| B
- A -->|No, I want to manage my
certificates manually by myself.| C
- B[Do you want to use a
self-signed CA or a trusted CA?]
- C[Do you want to use a
self-signed CA or a trusted CA?]
- B -->|I want to use a
self-signed CA.| D
- B -->|I want to use a
trusted CA.| E
- C -->|I want to use a
self-signed CA.| F
- C -->|I want to use a
trusted CA.| G
- D[See the Use a self-signed
CA with cert-manager to
manage your private key and
certificate files section.]
- E[See the Use a trusted
CA with cert-manager to
manage private key and
certificate files section.]
- F[See the Use your private
key and certificate files
section, and use the self-signed
certificate you generated.]
- G[See the Use your private key
and certificate files section,
and use the trusted certificate
generated by the third party.]
-```
+
#### Enable TLS
diff --git a/docs/helm-charts/configure-custom-values-scalardl-auditor.mdx b/docs/helm-charts/configure-custom-values-scalardl-auditor.mdx
index 223ec550..a045023d 100644
--- a/docs/helm-charts/configure-custom-values-scalardl-auditor.mdx
+++ b/docs/helm-charts/configure-custom-values-scalardl-auditor.mdx
@@ -6,6 +6,8 @@ displayed_sidebar: docsEnglish
# Configure a custom values file for ScalarDL Auditor
+import CertificateManagement from '/src/components/en-us/_certificate-management.mdx';
+
This document explains how to create your custom values file for the ScalarDL Auditor chart. If you want to know the details of the parameters, please refer to the [README](https://github.com/scalar-labs/helm-charts/blob/main/charts/scalardl-audit/README.md) of the ScalarDL Auditor chart.
## Required configurations
@@ -166,26 +168,7 @@ You can enable TLS in:
- The communications between the ScalarDL Auditor and clients.
- The communications between the ScalarDL Ledger and ScalarDL Auditor.
-In addition, you have several options for certificate management. For more details, see [TLS configurations for Envoy](./configure-custom-values-envoy.mdx#tls-configurations-optional-based-on-your-environment).
-
-You should consider which method you use based on your security requirements. For guidance and related documentation for each method, refer to the following decision tree:
-
-```mermaid
-flowchart TD
- A[Do you want to use
cert-manager to manage your
private key and certificate
files automatically?]
- A -->|Yes, I want to manage my
certificates automatically.| B
- A -->|No, I want to manage my
certificates manually by myself.| C
- B[Do you want to use a
self-signed CA or a trusted CA?]
- C[Do you want to use a
self-signed CA or a trusted CA?]
- B -->|I want to use a
self-signed CA.| D
- B -->|I want to use a
trusted CA.| E
- C -->|I want to use a
self-signed CA.| F
- C -->|I want to use a
trusted CA.| G
- D[See the Use a self-signed
CA with cert-manager to
manage your private key and
certificate files section.]
- E[See the Use a trusted
CA with cert-manager to
manage private key and
certificate files section.]
- F[See the Use your private
key and certificate files
section, and use the self-signed
certificate you generated.]
- G[See the Use your private key
and certificate files section,
and use the trusted certificate
generated by the third party.]
-```
+
#### Enable TLS
diff --git a/docs/helm-charts/configure-custom-values-scalardl-ledger.mdx b/docs/helm-charts/configure-custom-values-scalardl-ledger.mdx
index 0e1671da..4328f3b1 100644
--- a/docs/helm-charts/configure-custom-values-scalardl-ledger.mdx
+++ b/docs/helm-charts/configure-custom-values-scalardl-ledger.mdx
@@ -6,6 +6,8 @@ displayed_sidebar: docsEnglish
# Configure a custom values file for ScalarDL Ledger
+import CertificateManagement from '/src/components/en-us/_certificate-management.mdx';
+
This document explains how to create your custom values file for the ScalarDL Ledger chart. If you want to know the details of the parameters, please refer to the [README](https://github.com/scalar-labs/helm-charts/blob/main/charts/scalardl/README.md) of the ScalarDL Ledger chart.
## Required configurations
@@ -166,26 +168,7 @@ You can enable TLS in:
- The communications between the ScalarDL Ledger and clients.
- The communications between the ScalarDL Ledger and ScalarDL Auditor.
-Also, you have several options from the certificate management. See [TLS configurations on the Envoy document side](./configure-custom-values-envoy.mdx#tls-configurations-optional-based-on-your-environment) for more details.
-
-Please consider which you use based on your security requirements. According to your decision, you can see the related document as follows:
-
-```mermaid
-flowchart TD
- A[Do you want to use
cert-manager to manage your
private key and certificate
files automatically?]
- A -->|Yes, I want to manage my
certificates automatically.| B
- A -->|No, I want to manage my
certificates manually by myself.| C
- B[Do you want to use a
self-signed CA or a trusted CA?]
- C[Do you want to use a
self-signed CA or a trusted CA?]
- B -->|I want to use a
self-signed CA.| D
- B -->|I want to use a
trusted CA.| E
- C -->|I want to use a
self-signed CA.| F
- C -->|I want to use a
trusted CA.| G
- D[See the Use a self-signed
CA with cert-manager to
manage your private key and
certificate files section.]
- E[See the Use a trusted
CA with cert-manager to
manage private key and
certificate files section.]
- F[See the Use your private
key and certificate files
section, and use the self-signed
certificate you generated.]
- G[See the Use your private key
and certificate files section,
and use the trusted certificate
generated by the third party.]
-```
+
#### Enable TLS
diff --git a/src/components/en-us/_certificate-management.mdx b/src/components/en-us/_certificate-management.mdx
new file mode 100644
index 00000000..4243f8db
--- /dev/null
+++ b/src/components/en-us/_certificate-management.mdx
@@ -0,0 +1,44 @@
+You have several options for certificate management:
+
+1. Management of private key and certificate files
+ 1. Manage your private key and certificate files automatically by using [cert-manager](https://cert-manager.io/docs/).
+ - This method can reduce maintenance or operation costs. For example, cert-manager automatically renews certificates before they expire and Scalar Helm Chart automatically mounts private key and certificate files on the Scalar product pods.
+ - You cannot use a CA that cert-manager does not support. You can see the supported issuers in the [cert-manager documentation](https://cert-manager.io/docs/configuration/issuers/).
+ 1. Manage your private key and certificate files manually.
+ - You can issue and manage your private key and certificate files on your own by using your preferred method.
+ - You can use any certificate even if cert-manager does not support it.
+ - You must update secret resources when certificates expire.
+1. Kinds of certificates
+ 1. Use a trusted CA (signed certificate by third party).
+ - You can use trusted certificates from a third-party certificate issuer.
+ - You can encrypt packets.
+ - You must pay costs to issue trusted certificates.
+ 1. Use self-signed certificates.
+ - You can reduce costs to issue certificates.
+ - Reliability of certificates is lower than a trusted CA, but you can encrypt packets.
+
+In other words, you have the following four options:
+
+1. Use a self-signed CA with automatic management.
+1. Use a trusted CA with automatic management.
+1. Use a self-signed CA with manual management.
+1. Use a trusted CA with manual management.
+
+You should consider which method to use based on your security requirements. For guidance and related documentation for each method, refer to the following decision tree:
+
+```mermaid
+flowchart TD
+ A[Do you want to use
cert-manager to manage your
private key and certificate
files automatically?]
+ A -->|Yes, I want to manage my
certificates automatically.| B
+ A -->|No, I want to manage my
certificates manually by myself.| C
+ B[Do you want to use a
self-signed CA or a trusted CA?]
+ C[Do you want to use a
self-signed CA or a trusted CA?]
+ B -->|I want to use a
self-signed CA.| D
+ B -->|I want to use a
trusted CA.| E
+ C -->|I want to use a
self-signed CA.| F
+ C -->|I want to use a
trusted CA.| G
+ D[See the Use a self-signed
CA with cert-manager to
manage your private key and
certificate files section.]
+ E[See the Use a trusted
CA with cert-manager to
manage private key and
certificate files section.]
+ F[See the Use your private
key and certificate files
section, and use the self-signed
certificate you generated.]
+ G[See the Use your private key
and certificate files section,
and use the trusted certificate
generated by the third party.]
+```
diff --git a/src/components/ja-jp/_certificate-management.mdx b/src/components/ja-jp/_certificate-management.mdx
new file mode 100644
index 00000000..9aa8eb50
--- /dev/null
+++ b/src/components/ja-jp/_certificate-management.mdx
@@ -0,0 +1,44 @@
+証明書管理にはいくつかのオプションがあります。
+
+1. 秘密鍵と証明書ファイルの管理
+ 1. [cert-manager](https://cert-manager.io/docs/) を使用して秘密鍵と証明書ファイルを自動的に管理します。
+ - メンテナンスや運用のコストを削減できます。たとえば、cert-manager は証明書の有効期限が切れる前に自動的に更新し、Scalar Helm Chart は秘密鍵と証明書ファイルを Scalar 製品ポッドに自動的にマウントします。
+ - cert-manager がサポートしていない CA は使用できません。サポートされている発行元は [cert-manager ドキュメント](https://cert-manager.io/docs/configuration/issuers/)で確認できます。
+ 1. 秘密鍵と証明書ファイルを手動で管理します。
+ - ご自身のお好みの方法で、秘密鍵と証明書ファイルを発行・管理することができます。
+ - cert-manager がサポートしていない場合でも、任意の証明書を使用できます。
+ - 証明書の有効期限が切れた場合は、シークレットリソースを更新する必要があります。
+1. 証明書の種類
+ 1. 信頼できる CA (サードパーティによる署名付き証明書) を使用します。
+ - サードパーティの証明書発行者からの信頼できる証明書を使用できます。
+ - パケットを暗号化できます。
+ - 信頼できる証明書を発行するには費用を支払う必要があります。
+ 1. 自己署名証明書を使用します。
+ - 証明書発行にかかるコストを削減できます。
+ - 証明書の信頼性は信頼できる CA よりも低くなりますが、パケットを暗号化できます。
+
+つまり、次の4つのオプションがあります。
+
+1. 自動管理で自己署名 CA を使用します。
+1. 自動管理で信頼できる CA を使用します。
+1. 手動管理で自己署名 CA を使用します。
+1. 手動管理で信頼できる CA を使用します。
+
+セキュリティ要件に基づいて、どの方法を使用するかを検討する必要があります。各方法のガイダンスと関連ドキュメントについては、次の意思決定ツリーを参照してください。
+
+```mermaid
+flowchart TD
+ A[cert-manager を使用して
秘密鍵と証明書ファイルを
自動的に管理しますか?]
+ A -->|はい、証明書を自動的に
管理したいです。| B
+ A -->|いいえ、証明書は自分で手動で
管理したいです。| C
+ B[自己署名 CA と
信頼された CA の
どちらを使用しますか?]
+ C[自己署名 CA と
信頼された CA の
どちらを使用しますか?]
+ B -->|自己署名 CA を
使用したいです。| D
+ B -->|信頼できる CA
を使用したいです。| E
+ C -->|自己署名 CA
を使用したいです。| F
+ C -->|信頼できる CA
を使用したいです。| G
+ D[cert-manager で自己署名 CA を使用して
秘密鍵と証明書ファイルを管理する
を参照してください。]
+ E[cert-manager で信頼できる CA を使用して
秘密鍵と証明書ファイルを管理する
を参照してください。]
+ F[秘密鍵と証明書ファイルを使用するを参照し、
生成した自己署名証明書を使用します。]
+ G[秘密鍵と証明書ファイルを使用するを参照し、
第三者によって生成された
信頼できる証明書を使用します。]
+```