红帽全球峰会3.8. User-provided certificates for default ingress
3.8.1. Purpose
Applications are usually exposed at <route_name>.apps.<cluster_name>.<base_domain>. The <cluster_name> and <base_domain> come from the installation config file. <route_name> is the host field of the route, if specified, or the route name. For example, hello-openshift-default.apps.username.devcluster.openshift.com. hello-openshift is the name of the route and the route is in the default namespace. You might want clients to access the applications without the need to distribute the cluster-managed CA certificates to the clients. The administrator must set a custom default certificate when serving application content.
The Ingress Operator generates a default certificate for an Ingress Controller to serve as a placeholder until you configure a custom default certificate. Do not use operator-generated default certificates in production clusters.
3.8.2. Location
The user-provided certificates must be provided in a tls type Secret resource in the openshift-ingress namespace. Update the IngressController CR in the openshift-ingress-operator namespace to enable the use of the user-provided certificate. For more information on this process, see Setting a custom default certificate.
3.8.3. Management
User-provided certificates are managed by the user.
3.8.4. Expiration
User-provided certificates are managed by the user.
3.8.5. Services
Applications deployed on the cluster use user-provided certificates for default ingress.
3.8.6. Customization
Update the secret containing the user-managed certificate as needed.
