Document URL: https://docs.openshift.com/container-platform/3.3/dev_guide/secrets.html#service-serving-certificate-secrets
Section Number and Name: Service Serving Certificate
Describe the issue: The certificate (that is created with this feature) will be good for the internal service DNS name, <service.name>.<service.namespace>.svc. The problem with this is that the DNS name, <service.name>.<service.namespace>.svc is not externally routable (in most cases).
Suggestions for improvement: We should explain that when using this feature, the purpose or intent is for it to be used with "reencrypt" routes (using the wildcard DNS) so that the client -> router communication is secured by the routers default certificate, and the router -> service (pod) communication is secured by the generated service certificate (that was auto created).
This documenation will be needed until DNS work offered by: https://bugzilla.redhat.com/show_bug.cgi?id=1393486 can allow for this feature to use the dynamic DNS name and not the service DNS name.
Well, the primary use is for intracluster or intraservice communication. But absolutely the next most primary use is reencrypt.
Anyone generating a cert using oadm create-cert for the service name + public route name should probably be using service serving certs + reencrypt (includes registry, router, etc)
Hi Eric, Clayton, and Yan,
I opened PR#3660 with a note clarifying the use of <service.name>.<service.namespace>.svc in the Service Serving Certificates section. Please take a look when you have a chance.
The changes look good, verify the bug.
Commits pushed to master at https://github.com/openshift/openshift-docs
Bug 1413729 Added a note clarifying the use of <service.name>.<service.namespace>.svc.
Merge pull request #3660 from bmcelvee/BZ1413729
Bug 1413729 Added a note clarifying the use of `<service.name>.<service.namespace>.svc`
Link to documentation on the Customer Portal: https://access.redhat.com/documentation/en-us/openshift_container_platform/3.4/html-single/developer_guide/#service-serving-certificate-secrets