Update k8s fed docs to clarify role of acl token (#10233)

website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx

@@ -20,24 +20,33 @@ must be the [primary](/docs/k8s/installation/multi-cluster/kubernetes#primary-da
 If your primary datacenter is running on Kubernetes, use the Helm config from the
 [Primary Datacenter](/docs/k8s/installation/multi-cluster/kubernetes#primary-datacenter) section to install Consul.
 
-Once installed, and with the `ProxyDefaults` [resource created](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults),
+Once installed on Kubernetes, and with the `ProxyDefaults` [resource created](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults),
 you'll need to export the following information from the primary Kubernetes cluster:
 
-* The certificate authority cert:
+- Certificate authority cert and key (in order to create SSL certs for VMs)
+- External addresses of Kubernetes mesh gateways
+- Replication ACL token
+- Gossip encryption key
+
+The following sections detail how to export this data.
+
+### Certificates
+
+1. Retrieve the certificate authority cert:
 
    ```sh
    kubectl get secrets/consul-ca-cert --template='{{index .data "tls.crt" }}' |
      base64 -D > consul-agent-ca.pem
    ```
 
-* The certificate authority signing key:
+1. And the certificate authority signing key:
 
    ```sh
    kubectl get secrets/consul-ca-key --template='{{index .data "tls.key" }}' |
       base64 -D > consul-agent-ca-key.pem
    ```
 
-With the `consul-agent-ca.pem` and `consul-agent-ca-key.pem` files you can
+1. With the `consul-agent-ca.pem` and `consul-agent-ca-key.pem` files you can
    create certificates for your servers and clients running on VMs that share the
    same certificate authority as your Kubernetes servers.
 
@@ -63,7 +72,7 @@ Not satisfying this requirement would result in the following error in the Consu
    See the help for output of `consul tls cert create -h` to see more options
    for generating server certificates.
 
-These certificates can be used in your server config file:
+1. These certificates can be used in your server config file:
 
    ```hcl
    # server.hcl
@@ -72,7 +81,7 @@ key_file = "vm-dc-server-consul-0-key.pem"
    ca_file = "consul-agent-ca.pem"
    ```
 
-For clients, you can generate TLS certs with:
+1. For clients, you can generate TLS certs with:
 
    ```shell-session
    $ consul tls cert create -client
@@ -83,7 +92,9 @@ $ consul tls cert create -client
 
    Or use the [auto_encrypt](/docs/agent/options#auto_encrypt) feature.
 
-1. The WAN addresses of the mesh gateways:
+### Mesh Gateway Addresses
+
+Retrieve the WAN addresses of the mesh gateways:
 
 ```shell-session
 $ kubectl exec statefulset/consul-server -- sh -c \
@@ -108,7 +119,9 @@ setting:
 primary_gateways = ["1.2.3.4:443"]
 ```
 
-1. If ACLs are enabled, you'll also need the replication ACL token:
+### Replication ACL Token
+
+If ACLs are enabled, you'll also need the replication ACL token:
 
 ```shell-session
 $ kubectl get secrets/consul-acl-replication-acl-token --template='{{.data.token}}'
@@ -116,18 +129,22 @@ e7924dd1-dc3f-f644-da54-81a73ba0a178
 ```
 
 This token will be used in the server config for the replication token.
-You must also create your own agent policy and token.
 
 ```hcl
 acls {
   tokens {
-    agent = "<your agent token>"
     replication = "e7924dd1-dc3f-f644-da54-81a73ba0a178"
   }
 }
 ```
 
-1. If gossip encryption is enabled, you'll need the key as well. The command
+-> **NOTE:** You'll also need to set up additional ACL tokens as needed by the
+ACL system. See tutorial [Secure Consul with Access Control Lists (ACLs)](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production#apply-individual-tokens-to-agents)
+for more information.
+
+### Gossip Encryption Key
+
+If gossip encryption is enabled, you'll need the key as well. The command
 to retrieve the key will depend on which Kubernetes secret you've stored it in.
 
 This key will be used in server and client configs for the `encrypt` setting:
@@ -136,6 +153,8 @@ acls {
 encrypt = "uF+GsbI66cuWU21kiXLze5JLEX5j4iDFlDTb0ZWNpDI="
 ```
 
+### Final Configuration
+
 A final example server config file might look like:
 
 ```hcl
@@ -293,11 +312,11 @@ gateways running on VMs.
 With your config file ready to go, follow our [Installation Guide](/docs/k8s/installation/install)
 to install Consul on your secondary cluster(s).
 
-## Next Steps
-
 After installation, if you're using consul-helm 0.30.0+, [create the
 `ProxyDefaults` resource](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults)
 to allow traffic between datacenters.
 
-Follow the [Verifying Federation](/docs/k8s/installation/multi-cluster/kubernetes#verifying-federation)
+## Next Steps
+
+In both cases (Kubernetes as primary or secondary), after installation, follow the [Verifying Federation](/docs/k8s/installation/multi-cluster/kubernetes#verifying-federation)
 section to verify that federation is working as expected.