openshift · openshift-merge-robot · Jan 31, 2020 · Jan 31, 2020
diff --git a/config/v1/0000_03_config-operator_01_proxy.crd.yaml b/config/v1/0000_03_config-operator_01_proxy.crd.yaml
@@ -62,17 +62,19 @@ spec:
                 type: string
             trustedCA:
               description: "trustedCA is a reference to a ConfigMap containing a CA
-                certificate bundle used for client egress HTTPS connections. The certificate
-                bundle must be from the CA that signed the proxy's certificate and
-                be signed for everything. The trustedCA field should only be consumed
-                by a proxy validator. The validator is responsible for reading the
-                certificate bundle from required key \"ca-bundle.crt\" and copying
-                it to a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\"
-                namespace. The namespace for the ConfigMap referenced by trustedCA
-                is \"openshift-config\". Here is an example ConfigMap (in yaml): \n
-                apiVersion: v1 kind: ConfigMap metadata:  name: user-ca-bundle  namespace:
-                openshift-config  data:    ca-bundle.crt: |      -----BEGIN CERTIFICATE-----
-                \     Custom CA certificate bundle.      -----END CERTIFICATE-----"
+                certificate bundle. The trustedCA field should only be consumed by
+                a proxy validator. The validator is responsible for reading the certificate
+                bundle from the required key \"ca-bundle.crt\", merging it with the
+                system default trust bundle, and writing the merged trust bundle to
+                a ConfigMap named \"trusted-ca-bundle\" in the \"openshift-config-managed\"
+                namespace. Clients that expect to make proxy connections must use
+                the trusted-ca-bundle for all HTTPS requests to the proxy, and may
+                use the trusted-ca-bundle for non-proxy HTTPS requests as well. \n
+                The namespace for the ConfigMap referenced by trustedCA is \"openshift-config\".
+                Here is an example ConfigMap (in yaml): \n apiVersion: v1 kind: ConfigMap
+                metadata:  name: user-ca-bundle  namespace: openshift-config  data:
+                \   ca-bundle.crt: |      -----BEGIN CERTIFICATE-----      Custom
+                CA certificate bundle.      -----END CERTIFICATE-----"
               type: object
               required:
               - name

diff --git a/config/v1/0000_10_config-operator_01_build.crd.yaml b/config/v1/0000_10_config-operator_01_build.crd.yaml
@@ -89,19 +89,21 @@ spec:
                         type: string
                     trustedCA:
                       description: "trustedCA is a reference to a ConfigMap containing
-                        a CA certificate bundle used for client egress HTTPS connections.
-                        The certificate bundle must be from the CA that signed the
-                        proxy's certificate and be signed for everything. The trustedCA
-                        field should only be consumed by a proxy validator. The validator
-                        is responsible for reading the certificate bundle from required
-                        key \"ca-bundle.crt\" and copying it to a ConfigMap named
-                        \"trusted-ca-bundle\" in the \"openshift-config-managed\"
-                        namespace. The namespace for the ConfigMap referenced by trustedCA
-                        is \"openshift-config\". Here is an example ConfigMap (in
-                        yaml): \n apiVersion: v1 kind: ConfigMap metadata:  name:
-                        user-ca-bundle  namespace: openshift-config  data:    ca-bundle.crt:
-                        |      -----BEGIN CERTIFICATE-----      Custom CA certificate
-                        bundle.      -----END CERTIFICATE-----"
+                        a CA certificate bundle. The trustedCA field should only be
+                        consumed by a proxy validator. The validator is responsible
+                        for reading the certificate bundle from the required key \"ca-bundle.crt\",
+                        merging it with the system default trust bundle, and writing
+                        the merged trust bundle to a ConfigMap named \"trusted-ca-bundle\"
+                        in the \"openshift-config-managed\" namespace. Clients that
+                        expect to make proxy connections must use the trusted-ca-bundle
+                        for all HTTPS requests to the proxy, and may use the trusted-ca-bundle
+                        for non-proxy HTTPS requests as well. \n The namespace for
+                        the ConfigMap referenced by trustedCA is \"openshift-config\".
+                        Here is an example ConfigMap (in yaml): \n apiVersion: v1
+                        kind: ConfigMap metadata:  name: user-ca-bundle  namespace:
+                        openshift-config  data:    ca-bundle.crt: |      -----BEGIN
+                        CERTIFICATE-----      Custom CA certificate bundle.      -----END
+                        CERTIFICATE-----"
                       type: object
                       required:
                       - name
@@ -242,19 +244,21 @@ spec:
                         type: string
                     trustedCA:
                       description: "trustedCA is a reference to a ConfigMap containing
-                        a CA certificate bundle used for client egress HTTPS connections.
-                        The certificate bundle must be from the CA that signed the
-                        proxy's certificate and be signed for everything. The trustedCA
-                        field should only be consumed by a proxy validator. The validator
-                        is responsible for reading the certificate bundle from required
-                        key \"ca-bundle.crt\" and copying it to a ConfigMap named
-                        \"trusted-ca-bundle\" in the \"openshift-config-managed\"
-                        namespace. The namespace for the ConfigMap referenced by trustedCA
-                        is \"openshift-config\". Here is an example ConfigMap (in
-                        yaml): \n apiVersion: v1 kind: ConfigMap metadata:  name:
-                        user-ca-bundle  namespace: openshift-config  data:    ca-bundle.crt:
-                        |      -----BEGIN CERTIFICATE-----      Custom CA certificate
-                        bundle.      -----END CERTIFICATE-----"
+                        a CA certificate bundle. The trustedCA field should only be
+                        consumed by a proxy validator. The validator is responsible
+                        for reading the certificate bundle from the required key \"ca-bundle.crt\",
+                        merging it with the system default trust bundle, and writing
+                        the merged trust bundle to a ConfigMap named \"trusted-ca-bundle\"
+                        in the \"openshift-config-managed\" namespace. Clients that
+                        expect to make proxy connections must use the trusted-ca-bundle
+                        for all HTTPS requests to the proxy, and may use the trusted-ca-bundle
+                        for non-proxy HTTPS requests as well. \n The namespace for
+                        the ConfigMap referenced by trustedCA is \"openshift-config\".
+                        Here is an example ConfigMap (in yaml): \n apiVersion: v1
+                        kind: ConfigMap metadata:  name: user-ca-bundle  namespace:
+                        openshift-config  data:    ca-bundle.crt: |      -----BEGIN
+                        CERTIFICATE-----      Custom CA certificate bundle.      -----END
+                        CERTIFICATE-----"
                       type: object
                       required:
                       - name

diff --git a/config/v1/types_proxy.go b/config/v1/types_proxy.go
@@ -41,13 +41,17 @@ type ProxySpec struct {
 	// +optional
 	ReadinessEndpoints []string `json:"readinessEndpoints,omitempty"`
 
-	// trustedCA is a reference to a ConfigMap containing a CA certificate bundle used
-	// for client egress HTTPS connections. The certificate bundle must be from the CA
-	// that signed the proxy's certificate and be signed for everything. The trustedCA
-	// field should only be consumed by a proxy validator. The validator is responsible
-	// for reading the certificate bundle from required key "ca-bundle.crt" and copying
-	// it to a ConfigMap named "trusted-ca-bundle" in the "openshift-config-managed"
-	// namespace. The namespace for the ConfigMap referenced by trustedCA is
+	// trustedCA is a reference to a ConfigMap containing a CA certificate bundle.
+	// The trustedCA field should only be consumed by a proxy validator. The
+	// validator is responsible for reading the certificate bundle from the required
+	// key "ca-bundle.crt", merging it with the system default trust bundle,
+	// and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle"
+	// in the "openshift-config-managed" namespace. Clients that expect to make
+	// proxy connections must use the trusted-ca-bundle for all HTTPS requests to
+	// the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as
+	// well.
+	//
+	// The namespace for the ConfigMap referenced by trustedCA is
 	// "openshift-config". Here is an example ConfigMap (in yaml):
 	//
 	// apiVersion: v1

diff --git a/config/v1/zz_generated.swagger_doc_generated.go b/config/v1/zz_generated.swagger_doc_generated.go