diff --git a/modules/customize-certificates-access-default-service-serving-configmap.adoc b/modules/customize-certificates-access-default-service-serving-configmap.adoc new file mode 100644 index 000000000000..8008fb8dfe1e --- /dev/null +++ b/modules/customize-certificates-access-default-service-serving-configmap.adoc @@ -0,0 +1,33 @@ +// Module included in the following assemblies: +// +// * security/certificates/service-serving-certificate.adoc + +:_mod-docs-content-type: PROCEDURE +[id="access-default-service-serving-configmap_{context}"] += Access the service CA bundle in the default config map + +A pod can access the service CA certificate by mounting the default +`ConfigMap` object that exists in every project. The service CA +certificate is in the `service-ca.crt` key of the `openshift-service-ca.crt` +config map. Access to this CA certificate allows TLS clients to verify +connections to services using service serving certificates. + +.Procedure + +. View the config map to ensure that the service CA bundle is available: ++ +[source,terminal] +---- +$ oc get configmap openshift-service-ca.crt -o yaml +---- ++ +The CA bundle is displayed as the value of the `service-ca.crt` key in the YAML output: ++ +[source,terminal] +---- +apiVersion: v1 +data: + service-ca.crt: | + -----BEGIN CERTIFICATE----- +... +---- diff --git a/security/certificates/service-serving-certificate.adoc b/security/certificates/service-serving-certificate.adoc index 5f45ab2296aa..606e2ff42700 100644 --- a/security/certificates/service-serving-certificate.adoc +++ b/security/certificates/service-serving-certificate.adoc @@ -14,6 +14,8 @@ include::modules/customize-certificates-add-service-serving.adoc[leveloffset=+1] .Additional resources * You can use a service certificate to configure a secure route using reencrypt TLS termination. For more information, see xref:../../networking/routes/secured-routes.adoc#nw-ingress-creating-a-reencrypt-route-with-a-custom-certificate_secured-routes[Creating a re-encrypt route with a custom certificate]. +include::modules/customize-certificates-access-default-service-serving-configmap.adoc[leveloffset=+1] + include::modules/customize-certificates-add-service-serving-configmap.adoc[leveloffset=+1] include::modules/customize-certificates-add-service-serving-apiservice.adoc[leveloffset=+1]