fix: WPB-25750 update multi-ingress documentation

src/how-to/install/multi-ingress.md

@@ -93,11 +93,12 @@ Wire-server backend values can be found at: [https://github.com/wireapp/wire-ser
 galley:
   config:
       settings:
-          conversationCodeURI: https://accounts.green.example.org/conversation-join/
+          conversationCodeURI: https://account.green.example.org/conversation-join/
       multiIngress:
-        red.example.com: https://accounts.red.example.com/conversation-join/
-        blue.example.net: https://accounts.blue.example.net/conversation-join/
+        red.example.com: https://account.red.example.com/conversation-join/
+        blue.example.net: https://account.blue.example.net/conversation-join/
 ```
+Note: `settings.multiIngress` and `settings.conversationCodeURI` are mutually exclusive.
 
 ### Cargohold
 
@@ -177,7 +178,7 @@ Webapp values can be found at: [https://github.com/wireapp/wire-server-deploy/bl
 Override the whole file with following:
 
 ```yaml
-replicaCount: 1
+replicaCount: 3
 config:
   externalUrls:
     backendRest: "nginz-https.[[hostname]]"
@@ -245,6 +246,7 @@ For each additional domain (e.g., `red.example.com`, `blue.example.net`), you mu
 
 - **Unique release names** (e.g., `nginx-ingress-services-red`, `nginx-ingress-services-blue`)
 - **Domain-specific values files** with distinct configurations
+- **Separate TLS certificates**  (e.g., `values/nginx-ingress-services/red-key.pem`, `values/nginx-ingress-services/red-cert.pem`)
 
 ### Prepare values for red domain
 
@@ -259,23 +261,13 @@ accountPages:
   enabled: true
 tls:
   enabled: true
-  # NOTE: enable to automate certificate issuing with jetstack/cert-manager instead of
-  #       providing your own certs in secrets.yaml. Cert-manager is not installed automatically,
-  #       it needs to be installed beforehand (see ./../../charts/certificate-manager/README.md)
   useCertManager: false
   issuer:
     kind: ClusterIssuer
-certManager:
-  inTestMode: false
-  # CHANGEME-PROD: required, if certificate manager is used; set to receive cert expiration
-  #                notice and other Letsencrypt related notification
-  certmasterEmail: email@red.example.com
-
-# CHANGEME-PROD: These values are suggested for deployments on bare metal and
-#                should be adjusted on a per installation basis
 
 config:
   dns:
+    base: red.example.com
     https: nginz-https.red.example.com
     ssl: nginz-ssl.red.example.com
     webapp: webapp.red.example.com
@@ -300,7 +292,7 @@ service:
 Deploy this chart as following:
 
 ```bash
-helm upgrade --install nginx-ingress-services-red charts/nginx-ingress-services -f values/nginx-ingress-services/red-values.yaml
+helm upgrade --install nginx-ingress-services-red charts/nginx-ingress-services -f values/nginx-ingress-services/red-values.yaml --set-file secrets.tlsWildcardCert=values/nginx-ingress-services/red-cert.pem --set-file secrets.tlsWildcardKey=values/nginx-ingress-services/red-key.pem
 ```
 
 ### Prepare values for blue domain
@@ -318,23 +310,13 @@ accountPages:
   enabled: true
 tls:
   enabled: true
-  # NOTE: enable to automate certificate issuing with jetstack/cert-manager instead of
-  #       providing your own certs in secrets.yaml. Cert-manager is not installed automatically,
-  #       it needs to be installed beforehand (see ./../../charts/certificate-manager/README.md)
   useCertManager: false
   issuer:
     kind: ClusterIssuer
-certManager:
-  inTestMode: false
-  # CHANGEME-PROD: required, if certificate manager is used; set to receive cert expiration
-  #                notice and other Letsencrypt related notification
-  certmasterEmail: email@blue.example.net
-
-# CHANGEME-PROD: These values are suggested for deployments on bare metal and
-#                should be adjusted on a per installation basis
 
 config:
   dns:
+    base: blue.example.net
     https: nginz-https.blue.example.net
     ssl: nginz-ssl.blue.example.net
     webapp: webapp.blue.example.net
@@ -359,7 +341,23 @@ service:
 It will be deployed as:
 
 ```bash
-helm upgrade --install nginx-ingress-services-blue charts/nginx-ingress-services -f values/nginx-ingress-services/blue-values.yaml
+helm upgrade --install nginx-ingress-services-blue charts/nginx-ingress-services -f values/nginx-ingress-services/blue-values.yaml --set-file secrets.tlsWildcardCert=values/nginx-ingress-services/red-cert.pem --set-file secrets.tlsWildcardKey=values/nginx-ingress-services/red-key.pem
+```
+
+### Patch the CSP (Content security policy) for each multi-ingress domain
+
+When the Webapp is used with multi-ingress calling, the ingress CSP configuration must explicitly allow the corresponding Calling endpoint (SFT_DOMAIN).
+This update ensures that the browser accepts resources and connections required for calling functionality. The same need to be repeated for each multi-ingress domain. To find out which `SFT_DOMAIN` can be used, continue reading the [Calling](#calling) section.
+
+```bash
+d bash
+kubectl get ingress nginx-ingress-red -o yaml > nginx-ingress-red.yaml
+MULTI_DOMAIN="red.example.com"
+SFT_DOMAIN="sft.example-calling.com"
+sed -i "s|} https://\\*\\.${MULTI_DOMAIN};|} https://*.${MULTI_DOMAIN} https://${SFT_DOMAIN};|" nginx-ingress-red.yaml
+# debug command to verify
+kubectl diff -f nginx-ingress-red.yaml
+kubectl apply -f nginx-ingress-red.yaml
 ```
 
 ### Verify the deployment