Placing 4.5 ingress certificate workflow diagrams

2026-02-05 12:46:18 +01:00 · 2020-05-14 17:47:54 -04:00
parent 5746826210
commit 11b4247aad
5 changed files with 36 additions and 0 deletions
--- a/authentication/certificate-types-descriptions.adoc
+++ b/authentication/certificate-types-descriptions.adoc
@@ -63,6 +63,42 @@ to serve as a placeholder until you configure a custom default certificate. Do
 not use Operator-generated default certificates in production clusters.
 ====

+[discrete]
+== Workflow
+
+.Custom certificate workflow
+
+image::custom_4.5.png[custom ingress certificate workflow]
+
+
+.Default certificate workflow
+
+image::default_4.5.png[default ingress certificate workflow]
+
+image:darkcircle-0.png[20,20] An empty `defaultCertificate` field causes the Ingress Operator to use its self-signed CA to generate a serving certificate for the specified domain.
+
+image:darkcircle-1.png[20,20] The default CA certificate and key generated by the Ingress Operator. Used to sign Operator-generated default serving certificates.
+
+image:darkcircle-2.png[20,20] In the default workflow, the wildcard default serving certificate, created by the Ingress Operator and signed using the generated default CA certificate. In the custom workflow, this is the user-provided certificate.
+
+image:darkcircle-3.png[20,20] The router deployment. Uses the certificate in `secrets/router-certs-default` as its default front-end server certificate.
+
+image:darkcircle-4.png[20,20] In the default workflow, the contents of the wildcard default serving certificate (public and private parts) are copied here to enable OAuth integration. In the custom workflow, this is the user-provided certificate.
+
+image:darkcircle-5.png[20,20] The public (certificate) part of the default serving certificate. Replaces the `configmaps/router-ca` resource.
+
+image:darkcircle-6.png[20,20] The user updates the cluster proxy configuration with the CA certificate that signed the `ingresscontroller` serving certificate. This enables components like `auth`, `console`, and the registry to trust the serving certificate.
+
+image:darkcircle-7.png[20,20] The cluster-wide trusted CA bundle containing the combined {op-system-first} and user-provided CA bundles or an {op-system}-only bundle if a user bundle is not provided.
+
+image:darkcircle-8.png[20,20] The custom CA certificate bundle, which instructs other components (for example, `auth` and `console`) to trust an `ingresscontroller` configured with a custom certificate.
+
+image:darkcircle-9.png[20,20] The `trustedCA` field is used to reference the user-provided CA bundle.
+
+image:darkcircle-10.png[20,20] The Cluster Network Operator injects the trusted CA bundle into the `proxy-ca` ConfigMap.
+
+image:darkcircle-11.png[20,20] {product-title} {product-version} and newer use `default-ingress-cert`.
+
 [discrete]
 == Expiration

--- a/images/custom_4.5.png
+++ b/images/custom_4.5.png
--- a/images/darkcircle-11.png
+++ b/images/darkcircle-11.png
--- a/images/darkcircle-12.png
+++ b/images/darkcircle-12.png
--- a/images/default_4.5.png
+++ b/images/default_4.5.png