(WIP): OSDOCS-13371-2: Ingress Security Parms #91560
Conversation
|
@tedaveryredhat: This pull request references OSDOCS-13371 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
bot
added
do-not-merge/work-in-progress
|
🤖 Thu Apr 10 16:57:31 - Prow CI generated the docs preview: |
|
|
||
| If not set, a wildcard certificate is automatically generated and used. The certificate is valid for the Ingress Controller `domain` and `subdomains`, and | ||
| the generated certificate's CA is automatically integrated with the | ||
| cluster's trust store. |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'truststore' rather than 'trust store'. For more information, see RedHat.TermsErrors.
|
@tedaveryredhat: This pull request references OSDOCS-13371 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
size/M
|
|
||
| `clientTLS` has the required subfields, `spec.clientTLS.clientCertificatePolicy` and `spec.clientTLS.ClientCA`. | ||
|
|
||
| The `ClientCertificatePolicy` subfield accepts one of the two values: `Required` or `Optional`. Note that the ingress controller only checks client certificates for edge-terminated and reencrypt TLS routes; it cannot check certificates for cleartext HTTP or passthrough TLS routes. The `ClientCA` subfield specifies a config map that is in the openshift-ingress namespace. The config map should contain a CA certificate bundle. A config map is required for this field. |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'plain text' rather than 'cleartext'. For more information, see RedHat.TermsErrors.
tedaveryredhat
force-pushed
the
OSDOCS-13371-2
branch
from
5352e9d to
fa1d60b
Compare
|
@tedaveryredhat: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| @@ -57,11 +71,31 @@ ingress: | |||
| # ... | |||
| ---- | |||
| + | |||
| .Ingress controller configuration fields definitions table | |||
| .Ingress controller operations and performance configuration fields definitions | |||
There was a problem hiding this comment.
@tedaveryredhat , if we are going to keep it in the same page , can we separate this into new table called "Ingress controller security configuration fields definitions" , this is not related to operations and performance
| [cols="3a,8a",options="header"] | ||
| |=== | ||
| |Parameter |Description | ||
|
|
||
| |`certificateSecret` | ||
| |The `certificateSecret` value is a reference to a secret that contains the default certificate that is served by the Ingress Controller. When Routes do not specify their own certificate, `certificateSecret` is used.atehe Ingress Controller. |
There was a problem hiding this comment.
| |The `certificateSecret` value is a reference to a secret that contains the default certificate that is served by the Ingress Controller. When Routes do not specify their own certificate, `certificateSecret` is used.atehe Ingress Controller. | |
| |The `certificateSecret` value is a reference to a secret that contains the default certificate that is served by the Ingress Controller. When Routes do not specify their own certificate, `certificateSecret` is used.**atehe** Ingress Controller. |
typo?
| |`certificateSecret` | ||
| |The `certificateSecret` value is a reference to a secret that contains the default certificate that is served by the Ingress Controller. When Routes do not specify their own certificate, `certificateSecret` is used.atehe Ingress Controller. | ||
|
|
||
| For information about creating a secret, see https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/security_and_compliance/configuring-certificates#replacing-default-ingress_replacing-default-ingress [Replacing the default ingress certificate]. |
There was a problem hiding this comment.
this doc is for openshift, the main difference is the namespace name,
we dont use openshift-config namespace, we use openshift-ingress , so the secret has to be created there.
|
|
||
| If not set, the default value is based on the `apiservers.config.openshift.io/cluster` resource. | ||
|
|
||
| When using the `Old`, `Intermediate`, and `Modern` profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the `Intermediate` profile deployed on release `X.Y.Z`, an upgrade to release `X.Y.Z+1` may cause a new profile configuration to be applied to the Ingress Controller, resulting in a rollout. `Intermediate` is the default setting. |
There was a problem hiding this comment.
we dont have a concept of rollouts (its for operators only ) so this upgrade comment is not relevant.
Version(s):
4.19
Issue:
https://issues.redhat.com/browse/OSDOCS-13371
Link to docs preview:
https://91560--ocpdocs-pr.netlify.app/microshift/latest/microshift_configuring/microshift-ingress-controller.html
QE review: