update docs

README.md

@@ -7,7 +7,7 @@
 ## Description
 This operator can assist in reconfiguring a cluster once it has been moved to a new location. It performs the following steps:
 
-* Update the API and Ingress domain aliases using a generated self-signed certificate, or using a user provided certificate.
+* Update the API and Ingress domain aliases using a generated certificate (signed by loadbalancer-serving-signer), or using a user provided certificate.
 * Update the internal DNS records for the API and Ingress (SNO only).
 * (Optional) Update the cluster-wide pull secret.
 * (Optional) Add new SSH keys for the 'core' user.

api/v1beta1/clusterrelocation_types.go

@@ -38,7 +38,7 @@ type ClusterRelocationSpec struct {
 	AddInternalDNSEntries *bool `json:"addInternalDNSEntries,omitempty"`
 
 	// APICertRef is a reference to a TLS secret that will be used for the API server.
-	// If it is omitted, a self-signed certificate will be generated.
+	// If it is omitted, a certificate will be generated and signed by loadbalancer-serving-signer.
 	// The type of the secret must be kubernetes.io/tls.
 	//+operator-sdk:csv:customresourcedefinitions:type=spec
 	APICertRef *corev1.SecretReference `json:"apiCertRef,omitempty"`
@@ -56,7 +56,7 @@ type ClusterRelocationSpec struct {
 	ImageDigestMirrors []configv1.ImageDigestMirrors `json:"imageDigestMirrors,omitempty"`
 
 	// IngressCertRef is a reference to a TLS secret that will be used for the Ingress Controller.
-	// If it is omitted, a self-signed certificate will be generated.
+	// If it is omitted, a certificate will be generated and signed by loadbalancer-serving-signer.
 	// The type of the secret must be kubernetes.io/tls.
 	//+operator-sdk:csv:customresourcedefinitions:type=spec
 	IngressCertRef *corev1.SecretReference `json:"ingressCertRef,omitempty"`

config/crd/bases/rhsyseng.github.io_clusterrelocations.yaml

@@ -246,8 +246,9 @@ spec:
                 type: boolean
               apiCertRef:
                 description: APICertRef is a reference to a TLS secret that will be
-                  used for the API server. If it is omitted, a self-signed certificate
-                  will be generated. The type of the secret must be kubernetes.io/tls.
+                  used for the API server. If it is omitted, a certificate will be
+                  generated and signed by loadbalancer-serving-signer. The type of
+                  the secret must be kubernetes.io/tls.
                 properties:
                   name:
                     description: name is unique within a namespace to reference a
@@ -341,8 +342,9 @@ spec:
                 type: array
               ingressCertRef:
                 description: IngressCertRef is a reference to a TLS secret that will
-                  be used for the Ingress Controller. If it is omitted, a self-signed
-                  certificate will be generated. The type of the secret must be kubernetes.io/tls.
+                  be used for the Ingress Controller. If it is omitted, a certificate
+                  will be generated and signed by loadbalancer-serving-signer. The
+                  type of the secret must be kubernetes.io/tls.
                 properties:
                   name:
                     description: name is unique within a namespace to reference a

internal/api/reconcile.go

@@ -23,7 +23,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 	var origSecretName string
 	var origSecretNamespace string
 	if relocation.Spec.APICertRef == nil {
-		// If they haven't specified an APICertRef, we generate a self-signed certificate for them
+		// If they haven't specified an APICertRef, we generate a certificate for them
 		origSecretName = "generated-api-secret"
 		origSecretNamespace = rhsysenggithubiov1beta1.ConfigNamespace
 		secret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: origSecretName, Namespace: origSecretNamespace}}
@@ -63,7 +63,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 			return err
 		}
 		if op != controllerutil.OperationResultNone {
-			logger.Info("Self-signed API TLS cert modified", "OperationResult", op)
+			logger.Info("API TLS cert modified", "OperationResult", op)
 		}
 	} else {
 		if relocation.Spec.APICertRef.Name == "" || relocation.Spec.APICertRef.Namespace == "" {

internal/ingress/reconcile.go

@@ -29,7 +29,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 	var origSecretName string
 	var origSecretNamespace string
 	if relocation.Spec.IngressCertRef == nil {
-		// If they haven't specified an IngressCertRef, we generate a self-signed certificate for them
+		// If they haven't specified an IngressCertRef, we generate a certificate for them
 		origSecretName = "generated-ingress-secret"
 		origSecretNamespace = rhsysenggithubiov1beta1.IngressNamespace
 		secret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: origSecretName, Namespace: origSecretNamespace}}
@@ -69,7 +69,7 @@ func Reconcile(ctx context.Context, c client.Client, scheme *runtime.Scheme, rel
 			return err
 		}
 		if op != controllerutil.OperationResultNone {
-			logger.Info("Self-signed Ingress TLS cert modified", "OperationResult", op)
+			logger.Info("Ingress TLS cert modified", "OperationResult", op)
 		}
 
 		secretName := origSecretName

internal/secrets/secrets.go

@@ -73,7 +73,7 @@ func GenerateTLSKeyPair(ctx context.Context, c client.Client, domain string, pre
 		return nil, err
 	}
 
-	// Create a self-signed certificate template
+	// Create a certificate template
 	certificateTemplate := x509.Certificate{
 		SerialNumber:          big.NewInt(1),
 		Subject:               pkix.Name{CommonName: fmt.Sprintf("%s.%s", prefix, domain)},
@@ -83,7 +83,7 @@ func GenerateTLSKeyPair(ctx context.Context, c client.Client, domain string, pre
 		DNSNames:              []string{fmt.Sprintf("%s.%s", prefix, domain)},
 	}
 
-	// Create a self-signed certificate using the private key and certificate template
+	// Create a certificate using the private key and certificate template, signed by loadbalancer-serving-signer
 	derBytes, err := x509.CreateCertificate(rand.Reader, &certificateTemplate, lbSigningCert, &privateKey.PublicKey, lbSigningPrivateKey)
 	if err != nil {
 		return nil, err