Added a note in creating the externally managed certificate section

subhtk · subhtk · commit 700c6441a1dc · 2025-05-05T11:02:50.000+05:30
diff --git a/modules/nw-ingress-route-secret-load-external-cert.adoc b/modules/nw-ingress-route-secret-load-external-cert.adoc
@@ -23,6 +23,14 @@ This feature applies to both edge routes and re-encrypt routes.
 * You must have a secret containing a valid certificate/key pair in PEM-encoded format of type `kubernetes.io/tls`, which includes both `tls.key` and `tls.crt` keys.
 * You must place the referenced secret in the same namespace as the route you want to secure.
 
+[NOTE]
+====
+To configure the `spec.tls.externalCertificate` field on a route:
+
+* You must have the `create` permission on the `routes/custom-host` resource to set this field during route creation.
+* You must have either the `create` or `update` permission on the `routes/custom-host` resource to modify this field on an existing route.
+====
+
 .Procedure
 
 . Create a `role` in the same namespace as the secret to allow the router service account read access by running the following command:
