Merge "Front-proxy-client and front-proxy-ca certificates are not documented (r8,dsR8)"

doc/source/security/kubernetes/https-access-overview.rst

@@ -33,6 +33,10 @@ in the following sections.
     +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
     | kubelet client certificate                                | Yes                                                                         | auto-renewed by kubelet feature enabled by default                                                     |
     +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
+    | front-proxy-client                                        | Yes                                                                         | front-proxy-client: auto-renewed by cron job                                                           |
+    +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
+    | front-proxy-ca                                            | Yes                                                                         | front-proxy-ca: NOT AUTO-RENEWED; Default expiry is set at 10 years                                    |
+    +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
     |                                                                                                                                                                                                                                                  |
     +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
     | etcd Root CA certificate                                  | Yes                                                                         | NOT AUTO-RENEWED; Default expiry is set at 10 years                                                    |

doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst

@@ -13,9 +13,9 @@ for the external ``kube-apiserver`` API endpoint. By default, the Kubernetes
 Root |CA| is automatically generated at install time.
 
 If desired, you can externally generate a Root |CA| certificate and key, and
-configure it as the Kubernetes Root |CA| during installation. Upstream
-Kubernetes (v1.18) only supports a Root |CA| for the Kubernetes Root |CA|; NOT
-an Intermediate |CA|.
+configure it as the Kubernetes Root |CA| during installation. Currently,
+StarlingX supports only Internal |CA| mode with Kubernetes, which only supports
+a Root |CA| for the Kubernetes Root |CA|, not an Intermediate |CA|.
 
 The public certificate of the Kubernetes Root |CA|, whether auto-generated or
 specified, needs to be configured as a trusted |CA| by external servers
@@ -123,6 +123,17 @@ one file:
 
 This certificate is configured to auto renew.
 
+**front-proxy-client certificate**
+
+Client certificates signed by ``front-proxy`` Root |CA| certificate. It is used
+by ``apiserver/aggregator`` to connect to aggregated apiserver(extension
+APIserver).
+
+**front-proxy-ca certificate**
+
+The ``front-proxy`` Root |CA| certificate. front-proxy certificates are
+required only if you run ``kube-proxy`` to support an extension API server.
+
 .. toctree::
    :maxdepth: 1