Skip to content

Add comprehensive custom certificates documentation#293

Open
pwright wants to merge 9 commits into
skupperproject:mainfrom
pwright:certs-1
Open

Add comprehensive custom certificates documentation#293
pwright wants to merge 9 commits into
skupperproject:mainfrom
pwright:certs-1

Conversation

@pwright

@pwright pwright commented Jun 10, 2026

Copy link
Copy Markdown
Member
  • Add detailed custom certificates section to kube-yaml/site-linking.md
    • Explains default Skupper CA and certificate behavior
    • Documents custom server certificate setup
    • Provides kubectl/yq and manual methods for Link generation
    • Includes client certificate generation workflows
  • Add cross-reference in kube-cli/site-linking.md directing to YAML approach

@pwright
Add comprehensive custom certificates documentation
6c9d416 
- Add detailed custom certificates section to kube-yaml/site-linking.md
  - Explains default Skupper CA and certificate behavior
  - Documents custom server certificate setup
  - Provides kubectl/yq and manual methods for Link generation
  - Includes client certificate generation workflows
- Add cross-reference in kube-cli/site-linking.md directing to YAML approach
- Update overview/security.md with certificate trust explanation
- Fix terminology: 'Issuer' → 'signing Certificate resource'
- Fix certificate description: clarify CA hierarchy (not self-signed server cert)
- Fix kubectl commands: remove incorrect .items[] path for named resources
@pwright pwright mentioned this pull request Jun 10, 2026
Closed
fgiorgetti
fgiorgetti reviewed Jun 11, 2026
View reviewed changes
Comment thread input/kube-yaml/site-linking.md Outdated
```
Apply the secret:
```shell
kubectl delete secret skupper-site-server # delete existing secret

@fgiorgetti fgiorgetti Jun 11, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we recommend using the skupper-site-server secret (the default one used when link-access is enabled), then better to also recommend creating it before the site is created, as it needs to exist on the namespace before the skupper.io.Certificate (CR) exists, to avoid racing with the controller.

An alternative would be to suggest a custom RouterAccess CR, instead of using --enable-link-access. Then we could also explain how to define the RouterAccess CR manuall, which has the .spec.generateTlsCredentials=false and has the .spec.tlsCredentials set to a user provided Secret.

@pwright pwright Jun 17, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated doc with two alternative approaches.

BTW Would deleting routeraccess when user disables linkaccess automatically be a good idea?
(then user could disable linkaccess, apply secret and re-enable linkaccess)

@pwright pwright requested a review from fgiorgetti June 17, 2026 16:00
@pwright pwright marked this pull request as ready for review June 17, 2026 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fgiorgetti fgiorgetti Awaiting requested review from fgiorgetti

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pwright @fgiorgetti