From a981c8131cec21f4604d2902bff1ebc7d68e7818 Mon Sep 17 00:00:00 2001 From: Michael Pleshakov Date: Thu, 16 Dec 2021 14:00:26 -0800 Subject: [PATCH] Extend Wildcard TLS Secret docs to cover VirtualServer --- cmd/nginx-ingress/main.go | 4 ++-- deployments/helm-chart/README.md | 6 +++--- deployments/helm-chart/values.yaml | 10 +++++----- .../global-configuration/command-line-arguments.md | 4 ++-- .../virtualserver-and-virtualserverroute-resources.md | 2 +- docs/content/installation/installation-with-helm.md | 6 +++--- 6 files changed, 16 insertions(+), 16 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 22c45bae79..642b22c814 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -142,8 +142,8 @@ var ( `The timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start. (default 60000)`) wildcardTLSSecret = flag.String("wildcard-tls-secret", "", - `A Secret with a TLS certificate and key for TLS termination of every Ingress host for which TLS termination is enabled but the Secret is not specified. - Format: /. If the argument is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection. + `A Secret with a TLS certificate and key for TLS termination of every Ingress/VirtualServer host for which TLS termination is enabled but the Secret is not specified. + Format: /. If the argument is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. If the argument is set, but the Ingress controller is not able to fetch the Secret from Kubernetes API, the Ingress controller will fail to start.`) enablePrometheusMetrics = flag.Bool("enable-prometheus-metrics", false, diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index 9040eac549..0baa6e9785 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -162,9 +162,9 @@ Parameter | Description | Default `controller.defaultTLS.cert` | The base64-encoded TLS certificate for the default HTTPS server. If not specified, a pre-generated self-signed certificate is used. **Note:** It is recommended that you specify your own certificate. | A pre-generated self-signed certificate. `controller.defaultTLS.key` | The base64-encoded TLS key for the default HTTPS server. **Note:** If not specified, a pre-generated key is used. It is recommended that you specify your own key. | A pre-generated key. `controller.defaultTLS.secret` | The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.defaultTLS.cert` and `controller.defaultTLS.key` parameters. | None -`controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection. | None -`controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection. | None -`controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None +`controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None +`controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None +`controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None `controller.nodeSelector` | The node selector for pod assignment for the Ingress controller pods. | {} `controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress controller pod. | 30 `controller.tolerations` | The tolerations of the Ingress controller pods. | [] diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index 25aeec55aa..ebdfca7818 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -80,15 +80,15 @@ controller: secret: wildcardTLS: - ## The base64-encoded TLS certificate for every Ingress host that has TLS enabled but no secret specified. - ## If the parameter is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection. + ## The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. cert: "" - ## The base64-encoded TLS key for every Ingress host that has TLS enabled but no secret specified. - ## If the parameter is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection. + ## The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. + ## If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. key: "" - ## The secret with a TLS certificate and key for every Ingress host that has TLS enabled but no secret specified. + ## The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. ## The value must follow the following format: `/`. ## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. ## Format: / diff --git a/docs/content/configuration/global-configuration/command-line-arguments.md b/docs/content/configuration/global-configuration/command-line-arguments.md index 752a016808..49afc7e802 100644 --- a/docs/content/configuration/global-configuration/command-line-arguments.md +++ b/docs/content/configuration/global-configuration/command-line-arguments.md @@ -38,9 +38,9 @@ Format: `/` ### -wildcard-tls-secret `` -A Secret with a TLS certificate and key for TLS termination of every Ingress host for which TLS termination is enabled but the Secret is not specified. +A Secret with a TLS certificate and key for TLS termination of every Ingress/VirtualServer host for which TLS termination is enabled but the Secret is not specified. -* If the argument is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection. +* If the argument is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. * If the argument is set, but the Ingress controller is not able to fetch the Secret from Kubernetes API, the Ingress controller will fail to start. diff --git a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md index c0c7069cfb..59b1d6eb4d 100644 --- a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md @@ -73,7 +73,7 @@ redirect: {{% table %}} |Field | Description | Type | Required | | ---| ---| ---| --- | -|``secret`` | The name of a secret with a TLS certificate and key. The secret must belong to the same namespace as the VirtualServer. The secret must be of the type ``kubernetes.io/tls`` and contain keys named ``tls.crt`` and ``tls.key`` that contain the certificate and private key as described [here](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls). If the secret doesn't exist or is invalid, NGINX will break any attempt to establish a TLS connection to the host of the VirtualServer. | ``string`` | No | +|``secret`` | The name of a secret with a TLS certificate and key. The secret must belong to the same namespace as the VirtualServer. The secret must be of the type ``kubernetes.io/tls`` and contain keys named ``tls.crt`` and ``tls.key`` that contain the certificate and private key as described [here](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls). If the secret doesn't exist or is invalid, NGINX will break any attempt to establish a TLS connection to the host of the VirtualServer. If the secret is not specified but [wildcard TLS secret](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments#cmdoption-wildcard-tls-secret) is configured, NGINX will use the wildcard secret for TLS termination. | ``string`` | No | |``redirect`` | The redirect configuration of the TLS for a VirtualServer. | [tls.redirect](#virtualservertlsredirect) | No | ### VirtualServer.TLS.Redirect | {{% /table %}} diff --git a/docs/content/installation/installation-with-helm.md b/docs/content/installation/installation-with-helm.md index d585629aaf..4409e19c6f 100644 --- a/docs/content/installation/installation-with-helm.md +++ b/docs/content/installation/installation-with-helm.md @@ -168,9 +168,9 @@ The following tables lists the configurable parameters of the NGINX Ingress cont |``controller.defaultTLS.cert`` | The base64-encoded TLS certificate for the default HTTPS server. If not specified, a pre-generated self-signed certificate is used. **Note:** It is recommended that you specify your own certificate. | A pre-generated self-signed certificate. | |``controller.defaultTLS.key`` | The base64-encoded TLS key for the default HTTPS server. **Note:** If not specified, a pre-generated key is used. It is recommended that you specify your own key. | A pre-generated key. | |``controller.defaultTLS.secret`` | The secret with a TLS certificate and key for the default HTTPS server. The value must follow the following format: ``/``. Used as an alternative to specifying a certificate and key using ``controller.defaultTLS.cert`` and ``controller.defaultTLS.key`` parameters. | None | -|``controller.wildcardTLS.cert`` | The base64-encoded TLS certificate for every Ingress host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection. | None | -|``controller.wildcardTLS.key`` | The base64-encoded TLS key for every Ingress host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection. | None | -|``controller.wildcardTLS.secret`` | The secret with a TLS certificate and key for every Ingress host that has TLS enabled but no secret specified. The value must follow the following format: ``/``. Used as an alternative to specifying a certificate and key using ``controller.wildcardTLS.cert`` and ``controller.wildcardTLS.key`` parameters. | None | +|``controller.wildcardTLS.cert`` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|``controller.wildcardTLS.key`` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | +|``controller.wildcardTLS.secret`` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: ``/``. Used as an alternative to specifying a certificate and key using ``controller.wildcardTLS.cert`` and ``controller.wildcardTLS.key`` parameters. | None | |``controller.nodeSelector`` | The node selector for pod assignment for the Ingress controller pods. | {} | |``controller.terminationGracePeriodSeconds`` | The termination grace period of the Ingress controller pod. | 30 | |``controller.tolerations`` | The tolerations of the Ingress controller pods. | [] |