Merge pull request #111698 from tmalove/OSDOCS-19442

dfitzmau · web-flow · commit ee5f48daaea9 · 2026-06-05T12:45:45.000+01:00
OSDOCS#19442: Correct TLS configuration content - MicroShift
diff --git a/microshift_configuring/microshift-ingress-controller.adoc b/microshift_configuring/microshift-ingress-controller.adoc
@@ -7,7 +7,7 @@ include::_attributes/attributes-microshift.adoc[]
 toc::[]
 
 [role="_abstract"]
-Use the ingress controller options in the {microshift-short} configuration file to make pods and services accessible outside the node.
+To make pods and services accessible outside the node, you must configure the ingress controller options in the {microshift-short} configuration file.
 
 include::modules/microshift-ingress-controller-conc.adoc[leveloffset=+1]
 
@@ -17,6 +17,11 @@ include::modules/microshift-ingress-control-config-fields.adoc[leveloffset=+2]
 
 include::modules/microshift-ingress-controller-create-cert-secret.adoc[leveloffset=+2]
 
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../microshift_networking/microshift-configuring-routes.adoc#nw-ingress-creating-a-route-via-an-ingress_microshift-configuring-routes[Creating a route through an Ingress object]
+
 include::modules/microshift-ingress-controller-tls-config.adoc[leveloffset=+2]
 
 [id="additional-resources_microshift-ingress-controller_{context}"]
diff --git a/modules/microshift-ingress-controller-create-cert-secret.adoc b/modules/microshift-ingress-controller-create-cert-secret.adoc
@@ -8,18 +8,27 @@
 = Creating a secret for the ingress controller certificateSecret
 
 [role="_abstract"]
-To serve a custom default certificate through the ingress controller in {microshift-short}, you can create a TLS secret containing your certificate chain and private key, then set the `certificateSecret` value in the configuration file to that secret name.
+To secure network traffic with your own certificate, you must create a TLS secret and update the configuration file. This process configures a custom default certificate for the {microshift-short} ingress router.
 
 [NOTE]
 ====
-Any in-use certificates is automatically integrated with the {microshift-short} built-in OAuth server.
+Any in-use certificates automatically integrate with the {microshift-short} built-in OAuth server.
 ====
 
+To configure application-level certificates for a Kubernetes Ingress object by using the `spec.tls` field, follow the procedure in "Creating a route through an Ingress object".
+
 .Prerequisites
 
-* You have root access to {microshift-short}.
-* You installed the {oc-first}.
-* Your private key is not encrypted or you have decrypted it for importing into {microshift-short}.
+* Root access to the {microshift-short} host.
+* Installation of the {oc-first}.
+* A decrypted, non-password-protected TLS private key in Privacy-Enhanced Mail (PEM) format.
+* A PEM-encoded TLS certificate.
+* A valid certificate for the {microshift-short} apps wildcard where the `subjectAltName` extension includes DNS names covering `*.apps.<nodename>.<domain>`.
+
+[NOTE]
+====
+This procedure only applies to the default ingress router certificate, `ingress.certificateSecret`.
+====
 
 .Procedure
 
@@ -44,7 +53,7 @@ The certificate must include the `subjectAltName` extension showing `*.apps.<nod
 
 . Update the `certificateSecret` parameter value in the {microshift-short} configuration YAML with the newly created secret.
 
-. Complete any other configurations you require, then start or restart {microshift-short} by running one the following commands:
+. Complete any other configurations you require, then start or restart {microshift-short} by running one of the following commands:
 +
 [source,terminal]
 ----
diff --git a/modules/nw-ingress-creating-a-route-via-an-ingress.adoc b/modules/nw-ingress-creating-a-route-via-an-ingress.adoc
@@ -10,6 +10,15 @@
 [role="_abstract"]
 To integrate ecosystem components that require Ingress resources, configure an Ingress object. {product-title} automatically manages the lifecycle of the corresponding route objects, creating and deleting them to ensure seamless connectivity.
 
+.Prerequisites
+
+* If clients must receive a full certificate chain, you must combine the PEM-encoded leaf certificate and intermediates into a single file. Place the leaf certificate first, followed by each issuer in chain order.
+* You confirmed the private key matches the leaf certificate in the `tls.crt` key.
+* You confirmed the `tls.key` key has only the private key for the leaf certificate.
+* The certificate Subject Alternative Name (SAN), or the subject CN if no SAN is present, covers every hostname set in `spec.rules[].host` and `spec.tls[].hosts`. These values must match for the same host.
+* The private key is not password-encrypted. You must decrypt the key before you create the TLS secret so that {product-title} can read the key material.
+* You created a `Secret` of type `kubernetes.io/tls` in the same namespace as the `Ingress`. The `secretName` must match the `spec.tls[].secretName` field. If you have not created the secret, you must do so before you apply the `Ingress` object.
+
 .Procedure
 
 . Define an Ingress object in the {product-title} console or by entering the `oc create` command:
