From 7c57ac30ae83ddc19525aa4c86bb08bfd6f19ce9 Mon Sep 17 00:00:00 2001
From: subhtk <stk@redhat.com>
Date: Mon, 5 May 2025 11:02:50 +0530
Subject: [PATCH] SME review comments addressed

---
 modules/nw-ingress-route-secret-load-external-cert.adoc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/nw-ingress-route-secret-load-external-cert.adoc b/modules/nw-ingress-route-secret-load-external-cert.adoc
index 2b39444ff29c..8ab0c6c97334 100644
--- a/modules/nw-ingress-route-secret-load-external-cert.adoc
+++ b/modules/nw-ingress-route-secret-load-external-cert.adoc
@@ -23,6 +23,14 @@ This feature applies to both edge routes and re-encrypt routes.
 * You must have a secret containing a valid certificate/key pair in PEM-encoded format of type `kubernetes.io/tls`, which includes both `tls.key` and `tls.crt` keys.
 * You must place the referenced secret in the same namespace as the route you want to secure.
 
+[NOTE]
+====
+To configure the `spec.tls.externalCertificate` field on a route:
+
+* You must have the `create` permission on the `routes/custom-host` sub-resource to set this field during route creation.
+* You must have either the `create` or `update` permission on the `routes/custom-host` sub-resource to modify this field on an existing route.
+====
+
 .Procedure
 
 . Create a `role` in the same namespace as the secret to allow the router service account read access by running the following command: