From 71237fef4f0436cb25129ee6e8881bf0edafc2bb Mon Sep 17 00:00:00 2001 From: Luke Kysow <1034429+lkysow@users.noreply.github.com> Date: Tue, 8 Sep 2020 11:11:48 -0700 Subject: [PATCH] Update useSystemRoots docs for k8s --- website/pages/docs/k8s/installation/helm.mdx | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/website/pages/docs/k8s/installation/helm.mdx b/website/pages/docs/k8s/installation/helm.mdx index 13879b8eec..e238549c5d 100644 --- a/website/pages/docs/k8s/installation/helm.mdx +++ b/website/pages/docs/k8s/installation/helm.mdx @@ -386,8 +386,13 @@ and consider if they're appropriate for your deployment. - `tlsServerName` ((#v-externalservers-tlsservername)) (`string: null`) - The server name to use as the SNI host header when connecting with HTTPS. - - `useSystemRoots` ((#v-externalservers-usesystemroots)) (`boolean: false`) - If true, the Helm chart will ignore the CA set in `global.tls.caCert` - and will rely on the container's system CAs for TLS verification when talking to Consul servers. Otherwise, the chart will use `global.tls.caCert`. + - `useSystemRoots` ((#v-externalservers-usesystemroots)) (`boolean: false`) - If true, consul-k8s components will ignore the CA set in + [`global.tls.caCert`](#v-global-cacert) when making HTTPS calls to Consul servers and + will instead use the consul-k8s image's system CAs for TLS verification. + If false, consul-k8s components will use `global.tls.caCert` when + making HTTPS calls to Consul servers. + **NOTE:** This does not affect Consul's internal RPC communication which will + always use `global.tls.caCert`. - `k8sAuthMethodHost` ((#v-externalservers-k8sauthmethodhost)) (`string: null`) - If you are setting `global.acls.manageSystemACLs` and `connectInject.enabled` to true, set `k8sAuthMethodHost` to the address of the Kubernetes API server.