Merge pull request #3212 from SgtCoDFish/master

Add some extra detail to the client cert auth example regarding potential gotcha

docs/examples/auth/client-certs/README.md

@@ -1,11 +1,11 @@
 # Client Certificate Authentication
+It is possible to enable Client Certificate Authentication using additional annotations in Ingress resources, created by you.
 
-It is possible to enable Client Certificate Authentication using additional annotations in the Ingress.
+## Setup Instructions
+1. Create a file named `ca.crt` containing the trusted certificate authority chain to verify client certificates. All of the certificates must be in PEM format.  
+   *NB:* The file containing the trusted certificates must be named `ca.crt` exactly - this is expected to be found in the secret.
 
-## Setup instructions
-1. Create a file named `ca.crt` containing the trusted certificate authority chain (all ca certificates in PEM format) to verify client certificates. 
- 
-2. Create a secret from this file:
+2. Create a secret from this file:  
 `kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default`
 
-3. Add the annotations as provided in the [ingress.yaml](ingress.yaml) example to your ingress object.
+3. Add the annotations as provided in the [ingress.yaml](ingress.yaml) example to your own ingress resources as required.

docs/examples/auth/client-certs/ingress.yaml

@@ -5,6 +5,7 @@ metadata:
     # Enable client certificate authentication
     nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
     # Create the secret containing the trusted ca certificates with `kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default`
+    # NB: The file _must_ be named "ca.crt" and nothing else. This filename is expected to be found in the secret.
     nginx.ingress.kubernetes.io/auth-tls-secret: "default/auth-tls-chain"
     # Specify the verification depth in the client certificates chain
     nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"