kic: update TLS upstream verification guide

Kong · Dec 12, 2024 · 8283d58 · 8283d58
1 parent 130c695
commit 8283d58
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 30 deletions.
diff --git a/app/_includes/md/kic/ca-certificates-note.md b/app/_includes/md/kic/ca-certificates-note.md
@@ -1,8 +1,8 @@
 {:.note}
-> CA certificates in Kong are provisioned by creating a `Secret` resource in Kubernetes. CA certificate secrets must
-> have the following properties:
+> CA certificates in Kong are provisioned by creating `Secret` or `ConfigMap` resource in Kubernetes.
+> Resources holding CA certificates must have the following properties:
 > - the `konghq.com/ca-cert: "true"` label applied.
-> - a `cert` data property which contains a valid CA certificate in PEM format.
+> - a `cert` or `ca.crt` data property which contains a valid CA certificate in PEM format.
 > - a `kubernetes.io/ingress.class` annotation whose value matches the value of the controller's `--ingress-class`
     argument. By default, that value is `kong`.
 > - an `id` data property which contains a random UUID.

diff --git a/app/_includes/md/kic/http-test-routing-resource.md b/app/_includes/md/kic/http-test-routing-resource.md
@@ -3,6 +3,7 @@
 {%- assign name = include.name | default: 'echo' %}
 {%- assign service = include.service | default: 'echo' %}
 {%- assign port = include.port | default: '1027' %}
+{%- assign route_type = include.route_type | default: 'PathPrefix' %}
 
 {% capture the_code %}
 {% navtabs api %}
@@ -28,7 +29,7 @@ spec:
 {% endunless %}  rules:
   - matches:
     - path:
-        type: {{ include.route_type }}
+        type: {{ route_type }}
         value: {{ path }}
     backendRefs:
     - name: {{ service }}
@@ -53,7 +54,7 @@ spec:
   - {% unless include.skip_host %}host: {{ hostname }}
     {% endunless %}http:
       paths:
-      - path: {% if include.route_type == 'RegularExpression' %}/~{% endif %}{{ path }}
+      - path: {% if route_type == 'RegularExpression' %}/~{% endif %}{{ path }}
         pathType: ImplementationSpecific
         backend:
           service:

diff --git a/app/_src/kubernetes-ingress-controller/guides/security/verify-upstream-tls.md b/app/_src/kubernetes-ingress-controller/guides/security/verify-upstream-tls.md
@@ -166,7 +166,7 @@ service/echo patched
 
 Now that the `kong/goecho` service is serving HTTPS, we need to expose it.
 
-{% include /md/kic/http-test-routing-resource.md service=echo port=443 %}
+{% include /md/kic/http-test-routing-resource.md service=echo port=443 route_type=PathPrefix %}
 
 Verify connectivity by issuing an HTTP request to proxy. The service serves HTTPS but {{ site.base_gateway }} initiates
 the connection and proxies it as HTTP in this case, thus the request should be made over HTTP. The `Host` header is
@@ -240,40 +240,63 @@ it with the service.
 
 First, create a secret with the root CA certificate.
 
-{% include /md/kic/ca-certificates-note.md %}
-
+{% navtabs certificate %}
+{% navtab Secret %}
 ```shell
-echo '
-apiVersion: v1
-kind: Secret
-metadata:
-  name: root-ca
-  labels:
-    konghq.com/ca-cert: "true" # This label is required for the CA certificate to be recognized by Kong
-  annotations:
-    kubernetes.io/ingress.class: kong
-data:
-  cert: '$(base64 -w0 ./certs/root.crt)'
-  # An arbitrary ID for the certificate 
-  id: '$(printf "bf6e0f14-78cd-45ad-9325-87ec7ef7b890" | base64 -w0)'
-' | kubectl apply -f -
+kubectl create secret generic root-ca \
+  --from-file=ca.crt=./certs/root.crt \
+  --from-literal=id=bf6e0f14-78cd-45ad-9325-87ec7ef7b891 # An arbitrary ID for the certificate
+kubectl label secret root-ca konghq.com/ca-cert=true     # This label is required for the CA certificate to be recognized by Kong
+kubectl annotate secret root-ca kubernetes.io/ingress.class=kong
 ```
 
 The results should look like this.
 
 ```text
 secret/root-ca created
+configmap/root-ca labeled
+configmap/root-ca annotated
+```
+
+Now, associate the root CA certificate with the service passing its name to `konghq.com/ca-certificates-secret` annotation.
+
+{:.note}
+> The `konghq.com/ca-certificates-secret` annotation is a comma-separated list of `Secret`s holding CA certificates.
+> You can add multiple `Secret`s to the list.
+
+```shell
+kubectl annotate service echo konghq.com/ca-certificates-secret='root-ca'
+```
+{% endnavtab %}
+{% navtab ConfigMap %}
+
+```shell
+kubectl create configmap root-ca \
+  --from-file=ca.crt=./certs/root.crt \
+  --from-literal=id=bf6e0f14-78cd-45ad-9325-87ec7ef7b891 # An arbitrary ID for the certificate
+kubectl label configmap root-ca konghq.com/ca-cert=true  # This label is required for the CA certificate to be recognized by Kong
+kubectl annotate configmap root-ca kubernetes.io/ingress.class=kong
+```
+
+The results should look like this.
+
+```text
+configmap/root-ca created
+configmap/root-ca labeled
+configmap/root-ca annotated
 ```
 
-Now, associate the root CA certificate with the service passing its name to `konghq.com/ca-certificates` annotation.
+Now, associate the root CA certificate with the service passing its name to `konghq.com/ca-certificates-configmap` annotation.
 
 {:.note}
-> The `konghq.com/ca-certificates` annotation is a comma-separated list of CA certificate names. You can add multiple
-> CA certificates to the list.
+> The `konghq.com/ca-certificates-configmap` annotation is a comma-separated list of `ConfigMap`s holding CA certificates.
+> You can add multiple `ConfigMap`s to the list.
 
 ```shell
-kubectl annotate service echo konghq.com/ca-certificates='root-ca'
+kubectl annotate service echo konghq.com/ca-certificates-configmap='root-ca'
 ```
+{% endnavtab %}
+{% endnavtabs %}
 
 The results should look like this.
 

diff --git a/app/_src/kubernetes-ingress-controller/reference/annotations.md b/app/_src/kubernetes-ingress-controller/reference/annotations.md
@@ -693,13 +693,19 @@ The value of the annotation should be an integer. If not set, a system default v
 See [TLS verification of Upstream Service](/kubernetes-ingress-controller/{{page.release}}/guides/security/verify-upstream-tls)
 guide for more information.
 
-### konghq.com/ca-certificates
+### konghq.com/ca-certificates-secret
 
 > Available since controller 3.4
 
-This annotation can be used to assign CA certificates to be used for the upstream service's TLS certificates
-verification.
-The value of the annotation should be a comma-separated list of CA certificate names.
+This annotation can be used to assign CA certificates to be used for the upstream service's TLS certificates verification.
+The value of the annotation should be a comma-separated list of `Secret`s containing CA certificates.
+
+### konghq.com/ca-certificates-configmap
+
+> Available since controller 3.4
+
+This annotation can be used to assign CA certificates to be used for the upstream service's TLS certificates verification.
+The value of the annotation should be a comma-separated list of `ConfigMap`s containing CA certificates.
 
 {% include /md/kic/ca-certificates-note.md %}