Skip to content

Commit 23d4d5b

Browse files
ahardin-rhahardin-rh
authored
Merge pull request #22154 from ahardin-rh/4-5-ingress-diagrams
Placing 4.5 ingress certificate workflow diagrams
2 parents 3db7cfb + a19128f commit 23d4d5b

File tree

5 files changed

+36
-0
lines changed

5 files changed

+36
-0
lines changed

authentication/certificate-types-descriptions.adoc

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,42 @@ to serve as a placeholder until you configure a custom default certificate. Do
6363
not use Operator-generated default certificates in production clusters.
6464
====
6565

66+
[discrete]
67+
== Workflow
68+
69+
.Custom certificate workflow
70+
71+
image::custom_4.5.png[custom ingress certificate workflow]
72+
73+
74+
.Default certificate workflow
75+
76+
image::default_4.5.png[default ingress certificate workflow]
77+
78+
image:darkcircle-0.png[20,20] An empty `defaultCertificate` field causes the Ingress Operator to use its self-signed CA to generate a serving certificate for the specified domain.
79+
80+
image:darkcircle-1.png[20,20] The default CA certificate and key generated by the Ingress Operator. Used to sign Operator-generated default serving certificates.
81+
82+
image:darkcircle-2.png[20,20] In the default workflow, the wildcard default serving certificate, created by the Ingress Operator and signed using the generated default CA certificate. In the custom workflow, this is the user-provided certificate.
83+
84+
image:darkcircle-3.png[20,20] The router deployment. Uses the certificate in `secrets/router-certs-default` as its default front-end server certificate.
85+
86+
image:darkcircle-4.png[20,20] In the default workflow, the contents of the wildcard default serving certificate (public and private parts) are copied here to enable OAuth integration. In the custom workflow, this is the user-provided certificate.
87+
88+
image:darkcircle-5.png[20,20] The public (certificate) part of the default serving certificate. Replaces the `configmaps/router-ca` resource.
89+
90+
image:darkcircle-6.png[20,20] The user updates the cluster proxy configuration with the CA certificate that signed the `ingresscontroller` serving certificate. This enables components like `auth`, `console`, and the registry to trust the serving certificate.
91+
92+
image:darkcircle-7.png[20,20] The cluster-wide trusted CA bundle containing the combined {op-system-first} and user-provided CA bundles or an {op-system}-only bundle if a user bundle is not provided.
93+
94+
image:darkcircle-8.png[20,20] The custom CA certificate bundle, which instructs other components (for example, `auth` and `console`) to trust an `ingresscontroller` configured with a custom certificate.
95+
96+
image:darkcircle-9.png[20,20] The `trustedCA` field is used to reference the user-provided CA bundle.
97+
98+
image:darkcircle-10.png[20,20] The Cluster Network Operator injects the trusted CA bundle into the `proxy-ca` ConfigMap.
99+
100+
image:darkcircle-11.png[20,20] {product-title} {product-version} and newer use `default-ingress-cert`.
101+
66102
[discrete]
67103
== Expiration
68104

images/custom_4.5.png

209 KB
Loading

images/darkcircle-11.png

1.44 KB
Loading

images/darkcircle-12.png

1.91 KB
Loading

images/default_4.5.png

139 KB
Loading

0 commit comments

Comments
 (0)