From 6ac1d057dc3eb343ab60759c2721bef9675658ce Mon Sep 17 00:00:00 2001
From: maxlaverse <max@laverse.net>
Date: Mon, 5 Mar 2018 20:01:50 +0100
Subject: [PATCH] Add documentation about secure-verify-ca-secret (#2169)

---
 docs/user-guide/annotations.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docs/user-guide/annotations.md b/docs/user-guide/annotations.md
index 12f6f4819..149f52991 100644
--- a/docs/user-guide/annotations.md
+++ b/docs/user-guide/annotations.md
@@ -47,6 +47,7 @@ The following annotations are supported:
 |[nginx.ingress.kubernetes.io/proxy-redirect-to](#proxy-redirect)|string|
 |[nginx.ingress.kubernetes.io/rewrite-target](#rewrite)|URI|
 |[nginx.ingress.kubernetes.io/secure-backends](#secure-backends)|"true" or "false"|
+|[nginx.ingress.kubernetes.io/secure-verify-ca-secret](#secure-backends)|string|
 |[nginx.ingress.kubernetes.io/server-alias](#server-alias)|string|
 |[nginx.ingress.kubernetes.io/server-snippet](#server-snippet)|string|
 |[nginx.ingress.kubernetes.io/service-upstream](#service-upstream)|"true" or "false"|
@@ -341,6 +342,9 @@ The annotation `nginx.ingress.kubernetes.io/ssl-passthrough` allows to configure
 ### Secure backends
 
 By default NGINX uses `http` to reach the services. Adding the annotation `nginx.ingress.kubernetes.io/secure-backends: "true"` in the Ingress rule changes the protocol to `https`.
+If you want to validate the upstream against a specific certificate, you can create a secret with it and reference the secret with the annotation `nginx.ingress.kubernetes.io/secure-verify-ca-secret`.
+
+Please note that if an invalid or non-existent secret is given, the NGINX ingress controller will ignore the `secure-backends` annotation.
 
 ### Service Upstream