Add note for TLS settings on default rule

[makhtardiouf]

Alternative to make TLS work on the default rule or when faced with specific Subject Alternative Name requirements (e.g mandatory IPs instead of FQDN)

Description

Issue

Closes: #

[linux-foundation-easycla]

• ✅login: makhtardiouf / (f7bf556)

The committers listed above are authorized under a signed CLA.

[k8s-ci-robot]

Welcome @makhtardiouf!

It looks like this is your first PR to kubernetes/website 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/website has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign nate-double-u for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• content/en/docs/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	f7bf556
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/676c79df2c4ea000081eaf8f
😎 Deploy Preview	https://deploy-preview-49233--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[sftim]

This advice is specific to one ingress controller. We could add it as part of a blog article or a tutorial, but I don't think it's right for a page about the Ingress API as a concept.

[makhtardiouf]

I would agree with that indeed

[sftim]

This note is useful, though - it's telling people to go and read the docs for the ingress controller(s) that they are actually using.

[makhtardiouf]

The intent is to rectify or complete the note before it. See capture below.
I recently faced a mandatory mTLS requirement where the client calls an endpoint and checks if the certificate matches a given IP in the S.A.Ns.

• If the TLS cert is attached to an ingress resource, k8s will attempt to match it through the host rule (FQDN, as IPs won't work).
• If it doesn't match, k8s will fallback to the default "Fake Certificate", which the client needs to ignore in order to connect.
• The only solution is to create a TLS cert, with the required -ext SubjectAlternativeName:c=IP:x.x.x.x, and apply it as default cert for the ingress controller.