NGF: Secret support for BackendTLSPolicy (#315)

NGF now supports the ability to configure a BackendTLSPolicy with a Secret containing the CA certificate.

Author: sjberman

Diff for: content/ngf/how-to/traffic-security/securing-backend-traffic.md

@@ -216,7 +216,9 @@ We can see we a status 400 Bad Request message from NGINX.
 
 ## Create the backend TLS configuration
 
-To configure the backend TLS terminationm, first we will create the ConfigMap that holds the `ca.crt` entry for verifying our self-signed certificates:
+{{< note >}} This example uses a `ConfigMap` to store the CA certificate, but you can also use a `Secret`. This could be a better option if integrating with [cert-manager](https://cert-manager.io/). The `Secret` should have a `ca.crt` key that holds the contents of the CA certificate. {{< /note >}}
+
+To configure the backend TLS termination, first we will create the ConfigMap that holds the `ca.crt` entry for verifying our self-signed certificates:
 
 ```yaml
 kubectl apply -f - <<EOF

Diff for: content/ngf/overview/gateway-api-compatibility.md

@@ -355,10 +355,10 @@ Fields:
     - `kind`: Supports `Service`.
     - `name`: Supported.
   - `validation`
-    - `caCertificateRefs`: Supports single reference to a `ConfigMap`, with the CA certificate in a key named `ca.crt`.
+    - `caCertificateRefs`: Supports single reference to a `ConfigMap` or `Secret`, with the CA certificate in a key named `ca.crt`.
       - `name`: Supported.
       - `group`: Supported.
-      - `kind`: Supports `ConfigMap`.
+      - `kind`: Supports `ConfigMap` and `Secret`.
     - `hostname`: Supported.
     - `wellKnownCertificates`: Supports `System`. This will set the CA certificate to the Alpine system root CA path `/etc/ssl/cert.pem`. NB: This option will only work if the NGINX image used is Alpine based. The NGF NGINX images are Alpine based by default.
     - `subjectAltNames`: Not supported.