argoproj-labs · svghadi · Oct 28, 2024
diff --git a/docs/usage/routes.md b/docs/usage/routes.md
@@ -3,7 +3,7 @@
 The Argo CD Operator offers support for managing OpenShift Routes to access the Argo CD resources.
 
 Once the operator is deployed and running, create a new ArgoCD custom resource.
-The following example shows the minimal required to create a new ArgoCD
+The following [example](https://github.com/argoproj-labs/argocd-operator/blob/master/examples/argocd-route.yaml) shows the minimal required to create a new ArgoCD
 environment with the default configuration.
 
 ``` bash
@@ -50,6 +50,9 @@ $ kubectl get secret argocd-cluster -n argocd -ojsonpath='{.data.admin\.password
 
 By default, the operator creates the Argo CD server route with `reencrypt` termination policy. You can parameterize the route's TLS configuration by setting appropriate values in the `.spec.server.route.tls` field of the `ArgoCD` CR.
 
+!!! warning
+    It is not recommended to use `.route.tls.key` & `.route.tls.certificate` fields to configure custom certificates for Argo CD routes. Use `.route.tls.externalCertificate` field instead. Refer [Custom TLS certificates](#custom-tls-certificates) section for more information.
+
 ### TLS edge termination mode
 
 In `edge` termination mode, the route controller terminates the TLS connection and proxies the requests
@@ -120,6 +123,42 @@ spec:
         termination: reencrypt
         insecureEdgeTerminationPolicy: Redirect
 ```
+
+### Custom TLS certificates 
+
+Custom TLS certificates can be configured for Argo CD Server Route using `.route.tls.externalCertificate.Name` field in ArgoCD CR. Use this field to reference a Kubernetes secret of type `kubernetes.io/tls`. Any modifications to the referenced secret will automatically reflect on the route without the need for manual intervention.
+
+!!! warning
+    It is not recommended to use `.route.tls.key` & `.route.tls.certificate` fields to configure custom certificates for Argo CD routes, as the sensitive TLS data will be stored as plain text in ArgoCD CR. Use `.route.tls.externalCertificate.Name` field instead to reference a Kubernetes secret of type `kubernetes.io/tls`.
+
+To provide custom certificate for route, you can use the following configuration:
+
+```yaml
+spec:
+  server:
+    route:
+      enabled: true
+      tls:
+        externalCertificate: 
+          name: <your-tls-type-secret>
+```
+
+!!! note
+    The secret referenced in `.tls.externalCertificate.Name` should be of type `kubernetes.io/tls`.
+
+Example TLS secret:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: <example-tls-type-secret>
+  namespace: <argocd-namespace>
+type: kubernetes.io/tls
+data:
+  tls.crt: <certifcate>
+  tls.key: <key>
+```
+
 ### Host for Route in Argo CD Status
 
 When setting up access to Argo CD via a Route, one can easily retrieve the hostname used for accessing the Argo CD installation through the ArgoCD Operand's `status` field. To expose the `host` field, run `kubectl edit argocd argocd` and then edit the Argo CD instance server to have route enabled as `true`, like so: