document new CA bundle source option in howto docs

2025-12-23 14:25:50 +00:00 · 2024-07-31 14:55:11 -07:00
parent 43964ff7a2
commit 91ef68992c
8 changed files with 35 additions and 2 deletions
--- a/site/content/docs/howto/concierge/configure-concierge-supervisor-jwt.md
+++ b/site/content/docs/howto/concierge/configure-concierge-supervisor-jwt.md
@@ -56,6 +56,9 @@ spec:
  # If the TLS certificate of your FederationDomain is not signed by
  # a standard CA trusted by the Concierge pods by default, then
  # specify its CA here as a base64-encoded PEM.
+  # Alternatively, the CA bundle can be specified in a Secret or
+  # ConfigMap that will be dynamically watched by Pinniped for
+  # changes to the CA bundle (see API docs for details).
  tls:
    certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSUZJQ0...0tLQo=
 ```
--- a/site/content/docs/howto/concierge/configure-concierge-webhook.md
+++ b/site/content/docs/howto/concierge/configure-concierge-webhook.md
@@ -37,7 +37,10 @@ spec:
  # HTTPS endpoint to be called as a webhook
  endpoint: https://my-webhook.example.com/any/path
  tls:
-    # base64-encoded PEM CA bundle (optional)
+    # Base64-encoded PEM CA bundle for connections to webhook (optional).
+    # Alternatively, the CA bundle can be specified in a Secret or
+    # ConfigMap that will be dynamically watched by Pinniped for
+    # changes to the CA bundle (see API docs for details).
    certificateAuthorityData: "LS0tLS1CRUdJTi[...]"
 ```

--- a/site/content/docs/howto/supervisor/configure-supervisor-with-activedirectory.md
+++ b/site/content/docs/howto/supervisor/configure-supervisor-with-activedirectory.md
@@ -97,6 +97,12 @@ spec:

  # Specify the host of the Active Directory server.
  host: "activedirectory.example.com:636"
+  tls:
+    # Base64-encoded PEM CA bundle for connections to AD (optional).
+    # Alternatively, the CA bundle can be specified in a Secret or
+    # ConfigMap that will be dynamically watched by Pinniped for
+    # changes to the CA bundle (see API docs for details).
+    certificateAuthorityData: "LS0tLS1CRUdJTi[...]"

  # Specify how to search for the username when an end-user tries to log in
  # using their username and password.
--- a/site/content/docs/howto/supervisor/configure-supervisor-with-dex.md
+++ b/site/content/docs/howto/supervisor/configure-supervisor-with-dex.md
@@ -86,6 +86,12 @@ metadata:
 spec:
  # Specify the upstream issuer URL (no trailing slash).
  issuer: https://<dex-dns-record>
+  tls:
+    # Base64-encoded PEM CA bundle for connections to Dex (optional).
+    # Alternatively, the CA bundle can be specified in a Secret or
+    # ConfigMap that will be dynamically watched by Pinniped for
+    # changes to the CA bundle (see API docs for details).
+    certificateAuthorityData: "LS0tLS1CRUdJTi[...]"

  # Specify how to form authorization requests to Dex.
  authorizationConfig:
--- a/site/content/docs/howto/supervisor/configure-supervisor-with-github.md
+++ b/site/content/docs/howto/supervisor/configure-supervisor-with-github.md
@@ -221,6 +221,9 @@ spec:
      # This field is usually only used for GitHub Enterprise Server.
      # Specify the CA certificate of the server as a
      # base64-encoded PEM bundle.
+      # Alternatively, the CA bundle can be specified in a Secret or
+      # ConfigMap that will be dynamically watched by Pinniped for
+      # changes to the CA bundle (see API docs for details).
      certificateAuthorityData: LS0tLS1CRUdJTiBDRVJUSUZJQ0FU....

  client:
--- a/site/content/docs/howto/supervisor/configure-supervisor-with-gitlab.md
+++ b/site/content/docs/howto/supervisor/configure-supervisor-with-gitlab.md
@@ -158,6 +158,9 @@ spec:

  # Specify the CA bundle for the GitLab server as base64-encoded PEM
  # data. For example, the output of `cat my-ca-bundle.pem | base64`.
+  # Alternatively, the CA bundle can be specified in a Secret or
+  # ConfigMap that will be dynamically watched by Pinniped for
+  # changes to the CA bundle (see API docs for details).
  # 
  # This is only necessary if your instance uses a custom CA.
  tls:
--- a/site/content/docs/howto/supervisor/configure-supervisor-with-openldap.md
+++ b/site/content/docs/howto/supervisor/configure-supervisor-with-openldap.md
@@ -210,6 +210,9 @@ spec:

  # Specify the CA certificate of the LDAP server as a
  # base64-encoded PEM bundle.
+  # Alternatively, the CA bundle can be specified in a Secret or
+  # ConfigMap that will be dynamically watched by Pinniped for
+  # changes to the CA bundle (see API docs for details).
  tls:
    certificateAuthorityData: $(cat ca.pem | base64)

--- a/site/content/docs/howto/supervisor/configure-supervisor-with-workspace_one_access.md
+++ b/site/content/docs/howto/supervisor/configure-supervisor-with-workspace_one_access.md
@@ -70,6 +70,12 @@ spec:
  # actual issuer of your Workspace ONE Access environment.  Note that
  # the Workspace ONE Access issuer ends with the string "/SAAS/auth."
  issuer: https://ws1.my-company.com/SAAS/auth
+  tls:
+     # Base64-encoded PEM CA bundle for connections to WS1 (optional).
+     # Alternatively, the CA bundle can be specified in a Secret or
+     # ConfigMap that will be dynamically watched by Pinniped for
+     # changes to the CA bundle (see API docs for details).
+     certificateAuthorityData: "LS0tLS1CRUdJTi[...]"

  # Specify how to form authorization requests to Workspace ONE Access.
  authorizationConfig:
@@ -138,7 +144,7 @@ remaining claims are always available.
    "Test Group"
  ],
  "iss": "https://ws1.my-company.com/SAAS/auth",
-  "sub": "my-username@WS1-ENV-NAME",
+  "sub": "my-username@WS1-ENV-NAME"
 }
 ```