From 36a751652a44c7a405e1609bb1c4be2a02012e12 Mon Sep 17 00:00:00 2001
From: Dmitry Chepurovskiy <me@dm3ch.net>
Date: Mon, 24 Mar 2025 04:39:46 +0400
Subject: [PATCH] Update traffic-management/ingress/secure-ingress/index.md
 adding information about separarte CA secret support for TLS Secret (#16333)

---
 .../tasks/traffic-management/ingress/secure-ingress/index.md     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/index.md b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/index.md
index 0876568564..3c41680f44 100644
--- a/content/en/docs/tasks/traffic-management/ingress/secure-ingress/index.md
+++ b/content/en/docs/tasks/traffic-management/ingress/secure-ingress/index.md
@@ -624,6 +624,7 @@ EOF
 Istio supports reading a few different Secret formats, to support integration with various tools such as [cert-manager](/docs/ops/integrations/certmanager/):
 
 * A TLS Secret with keys `tls.key` and `tls.crt`, as described above. For mutual TLS, a `ca.crt` key can be used.
+* A TLS Secret with keys `tls.key` and `tls.crt`, as described above. For mutual TLS, a separate generic Secret named `<secret>-cacert`, with a `cacert` key. For example, `httpbin-credential` has `tls.key` and `tls.crt`, and `httpbin-credential-cacert` has `cacert`.
 * A generic Secret with keys `key` and `cert`. For mutual TLS, a `cacert` key can be used.
 * A generic Secret with keys `key` and `cert`. For mutual TLS, a separate generic Secret named `<secret>-cacert`, with a `cacert` key. For example, `httpbin-credential` has `key` and `cert`, and `httpbin-credential-cacert` has `cacert`.
 * The `cacert` key value can be a CA bundle consisting of concatenated individual CA certificates.