K8SPSMDB-491 add custom issuer options (#131)

* K8SPSMDB-491 add custom issuer options * K8SPSMDB-755 add allowInvalidCertificates option
percona · May 24, 2024 · 78fd177 · 78fd177
1 parent 987a5ab
commit 78fd177
Showing 1 changed file with 40 additions and 8 deletions.
diff --git a/docs/operator.md b/docs/operator.md
@@ -64,14 +64,6 @@ The [policy used to update images  :octicons-link-external-16:](https://kubernet
 | ----------- | ---------- |
 | :material-code-string: string     | `Always`   |
 
-### `tls.certValidityDuration`
-
-The validity duration of the external certificate for cert manager (90 days by default). This value is used only at cluster creation time and can’t be changed for existing clusters.
-
-| Value type  | Example    |
-| ----------- | ---------- |
-| :material-code-string: string     | `2160h`    |
-
 ### `imagePullSecrets.name`
 
 The [Kubernetes ImagePullSecret  :octicons-link-external-16:](https://kubernetes.io/docs/concepts/configuration/secret/#using-imagepullsecrets) to access the [custom registry](custom-registry.md#custom-registry).
@@ -160,6 +152,46 @@ The cluster domain to be used as a suffix for [multi-cluster Services](replicati
 | ----------- | ---------- |
 | :material-code-string: string     | `svc.clusterset.local` |
 
+### <a name="operator-issuerconf-section"></a>TLS (extended cert-manager configuration section)
+
+The `tls` section in the [deploy/cr.yaml  :octicons-link-external-16:](https://github.com/percona/percona-server-mongodb-operator/blob/main/deploy/cr.yaml) file contains various configuration options for additional customization of the [Transport Layer Security](TLS.md).
+
+### `tls.certValidityDuration`
+
+The validity duration of the external certificate for cert manager (90 days by default). This value is used only at cluster creation time and can’t be changed for existing clusters.
+
+| Value type  | Example    |
+| ----------- | ---------- |
+| :material-code-string: string     | `2160h`    |
+
+### `tls.allowInvalidCertificates`
+
+If enabled, `--tlsAllowInvalidCertificates` MongoDB Shell option will be set to true, [bypassing checks for the certificates presented by the mongod/mongos instance :octicons-link-external-16:](https://www.mongodb.com/docs/mongodb-shell/reference/options/#std-option-mongosh.--tlsAllowInvalidCertificates) (`true` by default to allow self-signed certificates generated by the Operator).
+
+| Value type  | Example    |
+| ----------- | ---------- |
+| :material-toggle-switch-outline: boolean     | `true`    |
+
+### 'tls.issuerConf.name'
+
+A [cert-manager issuer name :octicons-link-external-16:](https://cert-manager.io/docs/concepts/issuer/).
+
+| Value type  | Example    |
+| ----------- | ---------- |
+| :material-code-string: string     |  `special-selfsigned-issuer` |
+
+### 'tls.issuerConf.kind'
+
+A [cert-manager issuer type :octicons-link-external-16:](https://cert-manager.io/docs/configuration/).
+
+### 'tls.issuerConf.group'
+
+A [cert-manager issuer group :octicons-link-external-16:](https://cert-manager.io/docs/configuration/). Should be `cert-manager.io` for built-in cert-manager certificate issuers.
+
+| Value type  | Example    |
+| ----------- | ---------- |
+| :material-code-string: string     | `cert-manager.io` |
+
 ## <a name="operator-upgradeoptions-section"></a>Upgrade Options Section
 
 The `upgradeOptions` section in the [deploy/cr.yaml  :octicons-link-external-16:](https://github.com/percona/percona-server-mongodb-operator/blob/main/deploy/cr.yaml) file contains various configuration options to control Percona Server for MongoDB upgrades.