Skip to content

Commit 320bd3f

Browse files
juliocamarerojuliocamarero
committed
document new feature
Signed-off-by: Julio Camarero <[email protected]>
1 parent fad2c04 commit 320bd3f

File tree

1 file changed

+19
-0
lines changed

1 file changed

+19
-0
lines changed

content/docs/trust/trust-manager/README.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,12 @@ spec:
6666
fruit: apple
6767
key: "ca.crt"
6868

69+
# And another Secret source, but this time instead of specifying a key from the Secret data,
70+
# including all certificates from every key
71+
- secret:
72+
name: "my-regional-cas"
73+
includeAllKeys: true
74+
6975
# A ConfigMap in the "trust" namespace; see "Trust Namespace" below for further details
7076
- configMap:
7177
name: "my-org.net"
@@ -77,6 +83,12 @@ spec:
7783
matchLabels:
7884
fruit: apple
7985
key: "ca.crt"
86+
87+
# And another ConfigMap source, but this time instead of specifying a key from the ConfigMap data,
88+
# including all certificates from every key
89+
- secret:
90+
name: "my-org-cas"
91+
includeAllKeys: true
8092

8193
# A manually specified string
8294
- inLine: |
@@ -114,10 +126,17 @@ All sources and target options are documented in the trust-manager [API referenc
114126
- `inLine` - a manually specified string containing at least one certificate
115127
- `useDefaultCAs` - usually, a bundle of publicly trusted certificates
116128

129+
Both `ConfigMap` and `Secret`, support specifying a data key (`key`) that contains at least one certificate or use the
130+
`includeAllKeys` option to include all certificates from every key in the resource. The latter is useful in dynamic
131+
environments where key names are only known at runtime. When defining a `ConfigMap` or `Secret` source, the `key` and
132+
`includeAllKeys` fields are mutually exclusive: only one **must** be set, but not both.
133+
117134
Both `ConfigMap` and `Secret` also support specifying label selectors to select multiple resources at once, which is useful in dynamic
118135
environments where the name of the `ConfigMap` or `Secret` is known only at runtime. When adding a source, either of type `ConfigMap` or `Secret`,
119136
the fields `name` and `selector` are mutually exclusive: one **must** be set, but not both.
120137

138+
These features can be combined to, for instance, select all ConfigMaps with a specific label and include every
139+
certificate from each key within those ConfigMaps.
121140

122141
#### Targets
123142

0 commit comments

Comments
 (0)