From 5c99525ed37a8af1f189020768cc42add2c3f6e8 Mon Sep 17 00:00:00 2001
From: Erwin van Eyk <erwinvaneyk@gmail.com>
Date: Wed, 14 Aug 2019 15:18:34 +0200
Subject: [PATCH] Clarify the origin of openid-ca

---
 Documentation/kubernetes.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Documentation/kubernetes.md b/Documentation/kubernetes.md
index 291fbc44..80edf2e4 100644
--- a/Documentation/kubernetes.md
+++ b/Documentation/kubernetes.md
@@ -43,6 +43,7 @@ Additional notes:
 * Kubernetes only trusts ID Tokens issued to a single client.
   * As a work around dex allows clients to [trust other clients][trusted-peers] to mint tokens on their behalf.
 * If a claim other than "email" is used for username, for example "sub", it will be prefixed by `"(value of --oidc-issuer-url)#"`. This is to namespace user controlled claims which may be used for privilege escalation.
+* The `/etc/ssl/certs/openid-ca.pem` used here is the CA from the [generated TLS assets](#generate-tls-assets), and is assumed to be present on the cluster nodes.
 
 ## Deploying dex on Kubernetes