From ee2a4b832513416293c505d97edfacfe1c5d3be6 Mon Sep 17 00:00:00 2001
From: Fabian Fischer <glrf@users.noreply.github.com>
Date: Mon, 10 Jan 2022 10:47:30 +0100
Subject: [PATCH] Add reference for apiserver configuration

---
 .../ROOT/pages/references/parameters.adoc     | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
index ffb4844..6e1870c 100644
--- a/docs/modules/ROOT/pages/references/parameters.adoc
+++ b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -10,6 +10,30 @@ default:: `appuio-control-api`
 
 The namespace in which to deploy this component.
 
+== `apiserver.apiservice`
+type:: dict
+
+== `apiserver.tls`
+
+This key configures encryption of internal traffic, meaning from the Kubernetes API server to our aggregate API sever.
+
+You have the option to provide a custom TLS key and certificate.
+
+If any of the following fields are set to `null` or empty string, the aggregate API server will generate its own certificates.
+In that case the connection is still encrypted, but you need to disable TLS verification by setting `insecureSkipTLSVerify` to `true` in the APIService.
+
+=== `apiserver.tls.certSecretName`
+type:: string
+default:: `control-api-tls`
+
+=== `apiserver.tls.serverCert`
+type:: string
+default:: "?{vaultkv:${customer:name}/${cluster:name}/${_instance}/apiserver-cert}"
+
+=== `apiserver.tls.serverKey`
+type:: string
+default:: "?{vaultkv:${customer:name}/${cluster:name}/${_instance}/apiserver-key}"
+
 == `zones`
 
 [horizontal]