diff --git a/docs-web/configuration/ingress-resources/basic-configuration.md b/docs-web/configuration/ingress-resources/basic-configuration.md index bc3e09db15..8f36b6362d 100644 --- a/docs-web/configuration/ingress-resources/basic-configuration.md +++ b/docs-web/configuration/ingress-resources/basic-configuration.md @@ -28,7 +28,7 @@ spec: Here is a breakdown of what this Ingress resource definition means: * The `metadata.name` field defines the name of the resource `cafe‑ingress`. * In the `spec.tls` field we set up SSL/TLS termination: - * In the `secretName`, we reference a secret resource by its name, `cafe‑secret`. This resource contains the SSL/TLS certificate and key and it must be deployed prior to the Ingress resource. + * In the `secretName`, we reference a secret resource by its name, `cafe‑secret`. The secret must belong to the same namespace as the Ingress, it must be of the type ``kubernetes.io/tls`` and contain keys named ``tls.crt`` and ``tls.key`` that hold the certificate and private key as described [here](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls>). If the secret doesn't exist, NGINX will break any attempt to establish a TLS connection to the hosts to which the secret is applied. * In the `hosts` field, we apply the certificate and key to our `cafe.example.com` host. * In the `spec.rules` field, we define a host with domain name `cafe.example.com`. * In the `paths` field, we define two path‑based rules: diff --git a/docs-web/configuration/policy-resource.md b/docs-web/configuration/policy-resource.md index 41dc420d86..e0256b2b90 100644 --- a/docs-web/configuration/policy-resource.md +++ b/docs-web/configuration/policy-resource.md @@ -252,7 +252,7 @@ The value of the `${jwt_claim_user}` variable is the `user` claim of a JWT. For - Type - Required * - ``secret`` - - The name of the Kubernetes secret that stores the JWK. It must be in the same namespace as the Policy resource. The JWK must be stored in the secret under the key ``jwk``, otherwise the secret will be rejected as invalid. + - The name of the Kubernetes secret that stores the JWK. It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/jwk``, and the JWK must be stored in the secret under the key ``jwk``, otherwise the secret will be rejected as invalid. - ``string`` - Yes * - ``realm`` @@ -318,7 +318,7 @@ We use the `requestHeaders` of the [Action.Proxy](/nginx-ingress-controller/conf - Type - Required * - ``clientCertSecret`` - - The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The certificate must be stored in the secret under the key ``ca.crt``, otherwise the secret will be rejected as invalid. + - The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/ca``, and the certificate must be stored in the secret under the key ``ca.crt``, otherwise the secret will be rejected as invalid. - ``string`` - Yes * - ``verifyClient`` @@ -365,11 +365,11 @@ egressMTLS: - Type - Required * - ``tlsSecret`` - - The name of the Kubernetes secret that stores the TLS certificate and key. It must be in the same namespace as the Policy resource. The certificate must be stored in the secret under the key ``tls.crt`` and ``tls.key``, otherwise the secret will be rejected as invalid. + - The name of the Kubernetes secret that stores the TLS certificate and key. It must be in the same namespace as the Policy resource. The secret must be of the type ``kubernetes.io/tls``, the certificate must be stored in the secret under the key ``tls.crt``, and the key must be stored under the key ``tls.key``, otherwise the secret will be rejected as invalid. - ``string`` - No * - ``trustedCertSecret`` - - The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The certificate must be stored in the secret under the key ``ca.crt``, otherwise the secret will be rejected as invalid. + - The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/ca``, and the certificate must be stored in the secret under the key ``ca.crt``, otherwise the secret will be rejected as invalid. - ``string`` - No * - ``verifyServer`` diff --git a/docs-web/configuration/virtualserver-and-virtualserverroute-resources.md b/docs-web/configuration/virtualserver-and-virtualserverroute-resources.md index df7854a6cd..1313dbf656 100644 --- a/docs-web/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/docs-web/configuration/virtualserver-and-virtualserverroute-resources.md @@ -133,7 +133,7 @@ redirect: - Type - Required * - ``secret`` - - The name of a secret with a TLS certificate and key. The secret must belong to the same namespace as the VirtualServer. The secret must contain keys named ``tls.crt`` and ``tls.key`` that contain the certificate and private key as described `here `_. If the secret doesn't exist, NGINX will break any attempt to establish a TLS connection to the host of the VirtualServer. + - The name of a secret with a TLS certificate and key. The secret must belong to the same namespace as the VirtualServer. The secret must be of the type ``kubernetes.io/tls`` and contain keys named ``tls.crt`` and ``tls.key`` that contain the certificate and private key as described `here `_. If the secret doesn't exist, NGINX will break any attempt to establish a TLS connection to the host of the VirtualServer. - ``string`` - No * - ``redirect``