fix: update secrets management guide with 8.9 changes

docs/self-managed/deployment/helm/configure/secret-management.md

@@ -339,62 +339,59 @@ global:
 
 ## TLS certificates
 
-For TLS-enabled services, you'll need to configure certificate secrets.
+TLS certificate secrets for Camunda components and external services.
 
-### Secrets using the legacy pattern (all versions)
+### Secrets using the new pattern (Camunda 8.9+)
 
-| **Secret**                          | **Chart values key**                      | **Purpose**                                         |
-| ----------------------------------- | ----------------------------------------- | --------------------------------------------------- |
-| **Console TLS Certificate**         | `console.tls.existingSecret`              | TLS certificate for Console web application         |
-| **External Elasticsearch TLS Cert** | `global.elasticsearch.tls.existingSecret` | TLS certificate for external Elasticsearch over SSL |
-| **External OpenSearch TLS Cert**    | `global.opensearch.tls.existingSecret`    | TLS certificate for external OpenSearch over SSL    |
+| **Secret**                          | **Chart values key**              | **Purpose**                                         |
+| ----------------------------------- | --------------------------------- | --------------------------------------------------- |
+| **Console TLS Certificate**         | `console.tls.secret`              | TLS certificate for Console web application         |
+| **External Elasticsearch TLS Cert** | `global.elasticsearch.tls.secret` | TLS certificate for external Elasticsearch over SSL |
+| **External OpenSearch TLS Cert**    | `global.opensearch.tls.secret`    | TLS certificate for external OpenSearch over SSL    |
 
-### Ingress TLS
+**TLS Certificate Configuration**: Unlike password-based secrets, TLS certificates do not support `inlineSecret` (certificates are binary files unsuitable for inline configuration).
 
-Configure TLS for Camunda services exposed via Ingress:
+For Elasticsearch and OpenSearch, both `existingSecret` and `existingSecretKey` are required to specify which key in the secret contains the certificate file. For Console, only `existingSecret` is required as the entire secret is mounted as a directory.
 
-```yaml
-global:
-  ingress:
-    tls:
-      enabled: true
-      secretName: camunda-platform
-```
+Create the secrets with your certificate files using `kubectl create secret generic`:
 
-### External service TLS
+```sh
+kubectl create secret generic <secret-name> \
+  --from-file=<key>=<path-to-certificate-file> \
+  --namespace camunda
+```
 
-For external Elasticsearch or OpenSearch with TLS, configure the TLS certificate using the legacy pattern:
+Reference them in your values:
 
 ```yaml
+# Elasticsearch/OpenSearch
 global:
   elasticsearch:
     tls:
       enabled: true
-      existingSecret: elasticsearch-tls-secret
-```
-
-### Console TLS (legacy pattern)
+      secret:
+        existingSecret: elasticsearch-tls-secret
+        existingSecretKey: externaldb.jks
 
-```yaml
+# Console
 console:
   tls:
     enabled: true
-    existingSecret: console-tls-secret
-    certKeyFilename: tls.key
+    secret:
+      existingSecret: console-tls-secret
+    certKeyFilename: ca.crt
 ```
 
-Create TLS secrets using the standard Kubernetes TLS secret type:
+### Ingress TLS
+
+Configure TLS for Camunda services exposed via Ingress:
 
 ```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: camunda-platform
-  namespace: camunda
-type: kubernetes.io/tls
-data:
-  tls.crt: <base64 encoded cert>
-  tls.key: <base64 encoded key>
+global:
+  ingress:
+    tls:
+      enabled: true
+      secretName: camunda-platform
 ```
 
 ## Extract plaintext values and reference them as Kubernetes Secrets