mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-01 07:50:26 +02:00
Docs: document default cert annotation. (#3076)
This commit is contained in:
parent
da97546de1
commit
f7d36c3f1d
2 changed files with 19 additions and 5 deletions
|
@ -143,6 +143,21 @@ If you haven't already, install cert-manager and create a CA issuer. You can fol
|
|||
If you changed the `*.localhost.pomerium.io` value in `pomerium-certificates.yaml` update `config.rootDomain` to match, omitting the `*`.
|
||||
:::
|
||||
|
||||
::: details Default Certificate
|
||||
If you're using a single wildcard certificate for all routes managed by Pomerium, you can set it in an annotation for the ingress controller.
|
||||
|
||||
Add a block defining the default certificate to `pomerium-values.yaml`:
|
||||
|
||||
```yaml
|
||||
ingressController:
|
||||
ingressClassResource:
|
||||
defaultCertSecret: 'namespace/certSecretName'
|
||||
```
|
||||
|
||||
Now when defining ingresses you need not specify individual certificates, as documented in our example service below.
|
||||
|
||||
:::
|
||||
|
||||
1. Add Pomerium's Helm repo:
|
||||
|
||||
```bash
|
||||
|
|
|
@ -174,12 +174,12 @@ The remaining annotations are specific to or behave differently than they do whe
|
|||
|
||||
| Annotation | Description |
|
||||
| ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| `ingress.pomerium.io/tls_custom_ca_secret` | Name of Kubernetes `tls` Secret containing a custom [CA certificate][`tls_custom_ca_secret`] for the upstream. |
|
||||
| `ingress.pomerium.io/tls_client_secret` | Name of Kubernetes `tls` Secret containing a [client certificate][tls_client_certificate] for connecting to the upstream. |
|
||||
| `ingress.pomerium.io/tls_downstream_client_ca_secret` | Name of Kubernetes `tls` Secret containing a [Client CA][client-certificate-authority] for validating downstream clients. |
|
||||
| `ingress.pomerium.io/secure_upstream` | When set to `"true"`, use `https` when connecting to the upstream endpoint. |
|
||||
| `ingress.pomerium.io/path_regex` | When set to `"true"` enables path regex matching. See the [Regular Expressions Path Matching](#regular-expressions-path-matching) section for more information. |
|
||||
| `ingress.pomerium.io/secure_upstream` | When set to `"true"`, use `https` when connecting to the upstream endpoint. |
|
||||
| `ingress.pomerium.io/service_proxy_upstream` | When set to `"true"` forces Pomerium to connect to upstreams through the k8s service proxy, and not individual endpoints. <br/> This is useful when deploying Pomerium inside a service mesh. |
|
||||
| `ingress.pomerium.io/tls_client_secret` | Name of Kubernetes `tls` Secret containing a [client certificate][tls_client_certificate] for connecting to the upstream. |
|
||||
| `ingress.pomerium.io/tls_custom_ca_secret` | Name of Kubernetes `tls` Secret containing a custom [CA certificate][`tls_custom_ca_secret`] for the upstream. |
|
||||
| `ingress.pomerium.io/tls_downstream_client_ca_secret` | Name of Kubernetes `tls` Secret containing a [Client CA][client-certificate-authority] for validating downstream clients. |
|
||||
|
||||
::: tip
|
||||
|
||||
|
@ -256,7 +256,6 @@ Additional TLS certificates may be supplied by creating a Kubernetes secret(s) i
|
|||
|
||||
Please note that the referenced `tls_client_secret` must be a [TLS Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets). `tls_custom_ca_secret` and `tls_downstream_client_ca_secret` must contain `ca.crt` containing a .PEM encoded (base64-encoded DER format) public certificate.
|
||||
|
||||
|
||||
### External services
|
||||
|
||||
You may refer to external services by defining a [Service](https://kubernetes.io/docs/concepts/services-networking/service/) with `externalName`.
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue