update message for cert.tf

examples/full-cluster/common-services/cert.tf

@@ -38,9 +38,18 @@ Now submit file to TCO for signing and return the result as below:
   dns  = ${local.ca_dns_name}
   csr  = certs/${local.ca_dns_name}.csr
 
-Ask for the certificate to be signed with the Linux (v2) PKI CA with the command:
+**IMPORTANT**
 
-% ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
+We are no longer issuing certificate from the Linux (v2) PKI, so you must request one from the MS CA.
+Ask for the certificate to be signed with the Microsoft (MS CA, v3) PKI CA with the command (Windows, PowerShell):
+
+  certreq -submit -attrib "CertificateTemplate:USCBSubordinateCertificationAuthority"  ${local.ca_dns_name}.csr  ${local.ca_dns_name}.cer
+
+It is very important that this certificate be issued as a Subordinate Certification Authority. The default method of a server certificate
+will fail and will cause a lot of issues.
+
+Further, you will NOT enable the download option with the MS CA.  If you receive a download link to ca.apps.tco.census.gov, do not attempt
+to proceed, and request the correctly-signed certificate as described above.
 
 EOM
 }

examples/full-cluster/common-services/copy_images.tf

@@ -73,8 +73,8 @@ locals {
 resource "null_resource" "copy_images" {
   for_each = { for image in local.images : image.name => image if image.enabled }
   triggers = {
-    name = each.key
-    image = format("%v:%v",each.value.image,each.value.tag)
+    name  = each.key
+    image = format("%v:%v", each.value.image, each.value.tag)
   }
 
   provisioner "local-exec" {

examples/full-cluster/common-services/main.tf

@@ -10,7 +10,7 @@ locals {
     "metrics-server" = {
       name       = "metrics-server"
       repository = "https://charts.bitnami.com/bitnami"
-#      version    = "5.10.4"
+      #      version    = "5.10.4"
       version    = "5.11.9"
       use_remote = true
     }