From 91ef68992c662d2e32b80c66efcb1ca2911849c5 Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Wed, 31 Jul 2024 14:55:11 -0700 Subject: [PATCH] document new CA bundle source option in howto docs --- .../howto/concierge/configure-concierge-supervisor-jwt.md | 3 +++ .../docs/howto/concierge/configure-concierge-webhook.md | 5 ++++- .../configure-supervisor-with-activedirectory.md | 6 ++++++ .../howto/supervisor/configure-supervisor-with-dex.md | 6 ++++++ .../howto/supervisor/configure-supervisor-with-github.md | 3 +++ .../howto/supervisor/configure-supervisor-with-gitlab.md | 3 +++ .../supervisor/configure-supervisor-with-openldap.md | 3 +++ .../configure-supervisor-with-workspace_one_access.md | 8 +++++++- 8 files changed, 35 insertions(+), 2 deletions(-) diff --git a/site/content/docs/howto/concierge/configure-concierge-supervisor-jwt.md b/site/content/docs/howto/concierge/configure-concierge-supervisor-jwt.md index d9089775b..05905096b 100644 --- a/site/content/docs/howto/concierge/configure-concierge-supervisor-jwt.md +++ b/site/content/docs/howto/concierge/configure-concierge-supervisor-jwt.md @@ -56,6 +56,9 @@ spec: # If the TLS certificate of your FederationDomain is not signed by # a standard CA trusted by the Concierge pods by default, then # specify its CA here as a base64-encoded PEM. + # Alternatively, the CA bundle can be specified in a Secret or + # ConfigMap that will be dynamically watched by Pinniped for + # changes to the CA bundle (see API docs for details). tls: certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSUZJQ0...0tLQo= ``` diff --git a/site/content/docs/howto/concierge/configure-concierge-webhook.md b/site/content/docs/howto/concierge/configure-concierge-webhook.md index 0b0b0fe4f..c38325371 100644 --- a/site/content/docs/howto/concierge/configure-concierge-webhook.md +++ b/site/content/docs/howto/concierge/configure-concierge-webhook.md @@ -37,7 +37,10 @@ spec: # HTTPS endpoint to be called as a webhook endpoint: https://my-webhook.example.com/any/path tls: - # base64-encoded PEM CA bundle (optional) + # Base64-encoded PEM CA bundle for connections to webhook (optional). + # Alternatively, the CA bundle can be specified in a Secret or + # ConfigMap that will be dynamically watched by Pinniped for + # changes to the CA bundle (see API docs for details). certificateAuthorityData: "LS0tLS1CRUdJTi[...]" ``` diff --git a/site/content/docs/howto/supervisor/configure-supervisor-with-activedirectory.md b/site/content/docs/howto/supervisor/configure-supervisor-with-activedirectory.md index 55c8fc416..ab088a411 100644 --- a/site/content/docs/howto/supervisor/configure-supervisor-with-activedirectory.md +++ b/site/content/docs/howto/supervisor/configure-supervisor-with-activedirectory.md @@ -97,6 +97,12 @@ spec: # Specify the host of the Active Directory server. host: "activedirectory.example.com:636" + tls: + # Base64-encoded PEM CA bundle for connections to AD (optional). + # Alternatively, the CA bundle can be specified in a Secret or + # ConfigMap that will be dynamically watched by Pinniped for + # changes to the CA bundle (see API docs for details). + certificateAuthorityData: "LS0tLS1CRUdJTi[...]" # Specify how to search for the username when an end-user tries to log in # using their username and password. diff --git a/site/content/docs/howto/supervisor/configure-supervisor-with-dex.md b/site/content/docs/howto/supervisor/configure-supervisor-with-dex.md index db5a8879c..81ff4f9aa 100644 --- a/site/content/docs/howto/supervisor/configure-supervisor-with-dex.md +++ b/site/content/docs/howto/supervisor/configure-supervisor-with-dex.md @@ -86,6 +86,12 @@ metadata: spec: # Specify the upstream issuer URL (no trailing slash). issuer: https:// + tls: + # Base64-encoded PEM CA bundle for connections to Dex (optional). + # Alternatively, the CA bundle can be specified in a Secret or + # ConfigMap that will be dynamically watched by Pinniped for + # changes to the CA bundle (see API docs for details). + certificateAuthorityData: "LS0tLS1CRUdJTi[...]" # Specify how to form authorization requests to Dex. authorizationConfig: diff --git a/site/content/docs/howto/supervisor/configure-supervisor-with-github.md b/site/content/docs/howto/supervisor/configure-supervisor-with-github.md index 60d85bed6..eb9bbcc83 100644 --- a/site/content/docs/howto/supervisor/configure-supervisor-with-github.md +++ b/site/content/docs/howto/supervisor/configure-supervisor-with-github.md @@ -221,6 +221,9 @@ spec: # This field is usually only used for GitHub Enterprise Server. # Specify the CA certificate of the server as a # base64-encoded PEM bundle. + # Alternatively, the CA bundle can be specified in a Secret or + # ConfigMap that will be dynamically watched by Pinniped for + # changes to the CA bundle (see API docs for details). certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU.... client: diff --git a/site/content/docs/howto/supervisor/configure-supervisor-with-gitlab.md b/site/content/docs/howto/supervisor/configure-supervisor-with-gitlab.md index d0871160b..18b56627b 100644 --- a/site/content/docs/howto/supervisor/configure-supervisor-with-gitlab.md +++ b/site/content/docs/howto/supervisor/configure-supervisor-with-gitlab.md @@ -158,6 +158,9 @@ spec: # Specify the CA bundle for the GitLab server as base64-encoded PEM # data. For example, the output of `cat my-ca-bundle.pem | base64`. + # Alternatively, the CA bundle can be specified in a Secret or + # ConfigMap that will be dynamically watched by Pinniped for + # changes to the CA bundle (see API docs for details). # # This is only necessary if your instance uses a custom CA. tls: diff --git a/site/content/docs/howto/supervisor/configure-supervisor-with-openldap.md b/site/content/docs/howto/supervisor/configure-supervisor-with-openldap.md index 46aff6716..996c11a31 100644 --- a/site/content/docs/howto/supervisor/configure-supervisor-with-openldap.md +++ b/site/content/docs/howto/supervisor/configure-supervisor-with-openldap.md @@ -210,6 +210,9 @@ spec: # Specify the CA certificate of the LDAP server as a # base64-encoded PEM bundle. + # Alternatively, the CA bundle can be specified in a Secret or + # ConfigMap that will be dynamically watched by Pinniped for + # changes to the CA bundle (see API docs for details). tls: certificateAuthorityData: $(cat ca.pem | base64) diff --git a/site/content/docs/howto/supervisor/configure-supervisor-with-workspace_one_access.md b/site/content/docs/howto/supervisor/configure-supervisor-with-workspace_one_access.md index 0a04e6111..54422a5a7 100644 --- a/site/content/docs/howto/supervisor/configure-supervisor-with-workspace_one_access.md +++ b/site/content/docs/howto/supervisor/configure-supervisor-with-workspace_one_access.md @@ -70,6 +70,12 @@ spec: # actual issuer of your Workspace ONE Access environment. Note that # the Workspace ONE Access issuer ends with the string "/SAAS/auth." issuer: https://ws1.my-company.com/SAAS/auth + tls: + # Base64-encoded PEM CA bundle for connections to WS1 (optional). + # Alternatively, the CA bundle can be specified in a Secret or + # ConfigMap that will be dynamically watched by Pinniped for + # changes to the CA bundle (see API docs for details). + certificateAuthorityData: "LS0tLS1CRUdJTi[...]" # Specify how to form authorization requests to Workspace ONE Access. authorizationConfig: @@ -138,7 +144,7 @@ remaining claims are always available. "Test Group" ], "iss": "https://ws1.my-company.com/SAAS/auth", - "sub": "my-username@WS1-ENV-NAME", + "sub": "my-username@WS1-ENV-NAME" } ```