Add note on temporary self signed certificates

Signed-off-by: James Munnelly <james@munnelly.eu>
2019-03-07 19:10:33 +00:00 · 2019-03-07 19:10:33 +00:00 · ad42fe557e
commit ad42fe557e
parent 27e686bf5b
1 changed files with 19 additions and 0 deletions
--- a/docs/tasks/issuing-certificates/index.rst
+++ b/docs/tasks/issuing-certificates/index.rst
@ -74,6 +74,23 @@ the `API reference documentation`_.
 .. _`#1269`: https://github.com/jetstack/cert-manager/issues/1269
 .. _`API reference documentation`: https://docs.cert-manager.io/en/release-0.7/reference/api-docs/index.html#certificatespec-v1alpha1

+Temporary certificates whilst issuing
+=====================================
+
+With some Issuer types, certificates can take a few minutes to be issued.
+
+A temporary untrusted certificate will be issued whilst this process takes
+places if another certificate does not already exist in the target Secret
+resource.
+
+This helps to improve compatibility with certain ingress controllers (e.g.
+ingress-gce_) which require a TLS certificate to be present at all times in
+order to function.
+
+After the real, valid certificate has been obtained, cert-manager will replace
+the temporary self signed certificate with the valid one, **but will retain the
+same private key**.
+
 Special fields on Certificate resources for ACME Issuers
 ========================================================

@ -88,3 +105,5 @@ More information on setting these fields can be found in the
   :maxdepth: 2

   ingress-shim
+
+.. _ingress-gce: https://github.com/kubernetes/ingress-gce