diff --git a/docs/docs/k8s/helm.md b/docs/docs/k8s/helm.md index 7b9798999..ce131b5dd 100644 --- a/docs/docs/k8s/helm.md +++ b/docs/docs/k8s/helm.md @@ -143,6 +143,21 @@ If you haven't already, install cert-manager and create a CA issuer. You can fol If you changed the `*.localhost.pomerium.io` value in `pomerium-certificates.yaml` update `config.rootDomain` to match, omitting the `*`. ::: + ::: details Default Certificate + If you're using a single wildcard certificate for all routes managed by Pomerium, you can set it in an annotation for the ingress controller. + + Add a block defining the default certificate to `pomerium-values.yaml`: + + ```yaml + ingressController: + ingressClassResource: + defaultCertSecret: 'namespace/certSecretName' + ``` + + Now when defining ingresses you need not specify individual certificates, as documented in our example service below. + + ::: + 1. Add Pomerium's Helm repo: ```bash diff --git a/docs/docs/k8s/ingress.md b/docs/docs/k8s/ingress.md index b4dd08340..bbdf6d0ee 100644 --- a/docs/docs/k8s/ingress.md +++ b/docs/docs/k8s/ingress.md @@ -174,12 +174,12 @@ The remaining annotations are specific to or behave differently than they do whe | Annotation | Description | | ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `ingress.pomerium.io/tls_custom_ca_secret` | Name of Kubernetes `tls` Secret containing a custom [CA certificate][`tls_custom_ca_secret`] for the upstream. | -| `ingress.pomerium.io/tls_client_secret` | Name of Kubernetes `tls` Secret containing a [client certificate][tls_client_certificate] for connecting to the upstream. | -| `ingress.pomerium.io/tls_downstream_client_ca_secret` | Name of Kubernetes `tls` Secret containing a [Client CA][client-certificate-authority] for validating downstream clients. | -| `ingress.pomerium.io/secure_upstream` | When set to `"true"`, use `https` when connecting to the upstream endpoint. | | `ingress.pomerium.io/path_regex` | When set to `"true"` enables path regex matching. See the [Regular Expressions Path Matching](#regular-expressions-path-matching) section for more information. | +| `ingress.pomerium.io/secure_upstream` | When set to `"true"`, use `https` when connecting to the upstream endpoint. | | `ingress.pomerium.io/service_proxy_upstream` | When set to `"true"` forces Pomerium to connect to upstreams through the k8s service proxy, and not individual endpoints.
This is useful when deploying Pomerium inside a service mesh. | +| `ingress.pomerium.io/tls_client_secret` | Name of Kubernetes `tls` Secret containing a [client certificate][tls_client_certificate] for connecting to the upstream. | +| `ingress.pomerium.io/tls_custom_ca_secret` | Name of Kubernetes `tls` Secret containing a custom [CA certificate][`tls_custom_ca_secret`] for the upstream. | +| `ingress.pomerium.io/tls_downstream_client_ca_secret` | Name of Kubernetes `tls` Secret containing a [Client CA][client-certificate-authority] for validating downstream clients. | ::: tip @@ -256,7 +256,6 @@ Additional TLS certificates may be supplied by creating a Kubernetes secret(s) i Please note that the referenced `tls_client_secret` must be a [TLS Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets). `tls_custom_ca_secret` and `tls_downstream_client_ca_secret` must contain `ca.crt` containing a .PEM encoded (base64-encoded DER format) public certificate. - ### External services You may refer to external services by defining a [Service](https://kubernetes.io/docs/concepts/services-networking/service/) with `externalName`.