[DOC] Improve the hostname verification docs for NodePort listeners (#…

…10880) Signed-off-by: Jakub Scholz <www@scholzj.com> Co-authored-by: PaulRMellor <47596553+PaulRMellor@users.noreply.github.com>
strimzi · Nov 27, 2024 · 7b06cc6 · 7b06cc6
1 parent 364bf38
commit 7b06cc6
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/documentation/modules/deploying/con-hostname-verification-node-ports.adoc b/documentation/modules/deploying/con-hostname-verification-node-ports.adoc
@@ -6,7 +6,8 @@
 = Troubleshooting TLS hostname verification with node ports
 
 [role="_abstract"]
-Off-cluster access using node ports with TLS encryption enabled does not support TLS hostname verification. 
+Off-cluster access using node ports with TLS encryption enabled does not support TLS hostname verification.
+This is because Strimzi does not know the address of the node where the broker pod is scheduled and cannot include it in the broker certificate.
 Consequently, clients that perform hostname verification will fail to connect.
 
 For example, a Java client will fail with the following exception:
@@ -29,4 +30,8 @@ ssl.endpoint.identification.algorithm=
 When configuring the client directly in Java, set the configuration option to an empty string:
 
 [source,java]
-props.put("ssl.endpoint.identification.algorithm", "");
+props.put("ssl.endpoint.identification.algorithm", "");
+
+Alternatively, if you know the addresses of the worker nodes where the brokers are scheduled, you can add them as additional SANs (Subject Alternative Names) to the broker certificates manually. 
+For example, this might apply if your cluster is running on a bare metal deployment with a limited number of available worker nodes. 
+Use the link:{BookURLConfiguring}#property-listener-config-altnames-reference[`alternativeNames` property ^] to specify additional SANS.