Document URL: https://docs.openshift.com/container-platform/3.3/dev_guide/secrets.html#service-serving-certificate-secrets Section Number and Name: Service Serving Certificate Describe the issue: The certificate (that is created with this feature) will be good for the internal service DNS name, <service.name>.<service.namespace>.svc. The problem with this is that the DNS name, <service.name>.<service.namespace>.svc is not externally routable (in most cases). Suggestions for improvement: We should explain that when using this feature, the purpose or intent is for it to be used with "reencrypt" routes (using the wildcard DNS) so that the client -> router communication is secured by the routers default certificate, and the router -> service (pod) communication is secured by the generated service certificate (that was auto created). Additional information: This documenation will be needed until DNS work offered by: https://bugzilla.redhat.com/show_bug.cgi?id=1393486 can allow for this feature to use the dynamic DNS name and not the service DNS name.
Well, the primary use is for intracluster or intraservice communication. But absolutely the next most primary use is reencrypt. Anyone generating a cert using oadm create-cert for the service name + public route name should probably be using service serving certs + reencrypt (includes registry, router, etc)
Hi Eric, Clayton, and Yan, I opened PR#3660[1] with a note clarifying the use of <service.name>.<service.namespace>.svc in the Service Serving Certificates section. Please take a look when you have a chance. Thanks! [1] https://github.com/openshift/openshift-docs/pull/3660
The changes look good, verify the bug.
Commits pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/14bf9cb104011b4faeacff3dfa1862d31d3608a4 Bug 1413729 Added a note clarifying the use of <service.name>.<service.namespace>.svc. https://github.com/openshift/openshift-docs/commit/f29155a2315b7bfbc57840df2402f45274581ba0 Merge pull request #3660 from bmcelvee/BZ1413729 Bug 1413729 Added a note clarifying the use of `<service.name>.<service.namespace>.svc`
Thanks, Meng!
Link to documentation on the Customer Portal: https://access.redhat.com/documentation/en-us/openshift_container_platform/3.4/html-single/developer_guide/#service-serving-certificate-secrets