diff --git a/doc/source/security/kubernetes/configure-rest-api-apps-and-web-admin-server-certs-after-inst-6816457ab95f.rst b/doc/source/security/kubernetes/configure-rest-api-apps-and-web-admin-server-certs-after-inst-6816457ab95f.rst index 855767d55..0e2619bf0 100644 --- a/doc/source/security/kubernetes/configure-rest-api-apps-and-web-admin-server-certs-after-inst-6816457ab95f.rst +++ b/doc/source/security/kubernetes/configure-rest-api-apps-and-web-admin-server-certs-after-inst-6816457ab95f.rst @@ -4,110 +4,22 @@ Configure REST API Applications and Web Administration Server certificate ========================================================================= -.. rubric:: |context| +|prod| provides support for secure HTTPS external connections used for |prod| +REST API application endpoints (Keystone, Barbican and |prod|) and the |prod| +web administration server. -|prod| provides support for secure HTTPS external connections used for -StarlingX REST API application endpoints (Keystone, Barbican and StarlingX) and -the |prod| web administration server. By default, HTTPS access to StarlingX -REST and Web Server endpoints is disabled. They are accessible via HTTP only. -To enable secure HTTPS access, an x509 certificate and key must be configured. +During installation, the Platform Issuer (``system-local-ca``) will +automatically issue a certificate used to secure access to the |prod| REST API +and to the Web Server GUI. This allows the system to have HTTPS access enabled +from the bootstrap to the services. This certificate will be stored in a K8s +|TLS| secret in namespace ``deployment``, named +``system-restapi-gui-certificate``. It will be managed by cert-manager, renewed +upon expiration and the required services restarted automatically. -You can update the certificate used for HTTPS access at any time. - -To configure or update the HTTPS certificate for the StarlingX REST API and Web -Server endpoints, create a certificate named ``system-restapi-gui-certificate`` -in the ``deployment`` namespace. The ``secretName`` attribute of this -certificate's spec must also be named ``system-restapi-gui-certificate``. - -See the example procedure below for creating the certificate for the StarlingX -REST API and Web Server endpoints. - -Update the following fields: - -* The ``duration`` and ``renewBefore`` dates for the expiry and renewal times - you desire. The system will automatically renew and re-install the - certificate. - - .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest - -* The ``subject`` fields to identify your particular system. - -* The ``ipAddresses`` with the |OAM| Floating IP Address for this system. - -* The ``dnsNames`` with any |FQDN| names configured for this system in an - external DNS server. - -.. note:: - - If you plan to use the container-based remote CLIs, due to a limitation in - the Python2 SSL certificate validation, the certificate used for the - ``system-restapi-gui-certificate`` certificate must either have: - - - CN=IPADDRESS and SANs=IPADDRESS - - or - - - CN=FQDN and SANs=FQDN - - where IPADDRESS and FQDN are for the |OAM| Floating IP Address. - -.. rubric:: |proc| - -#. Create the REST API certificate yaml configuration file. - - .. code-block:: - - ~(keystone_admin)]$ cat < restapi-certificate.yaml - --- - apiVersion: cert-manager.io/v1 - kind: Certificate - metadata: - name: system-restapi-gui-certificate - namespace: deployment - spec: - secretName: system-restapi-gui-certificate - issuerRef: - name: system-local-ca - kind: ClusterIssuer - duration: 2160h # 90 days - renewBefore: 360h # 15 days - commonName: < oam floating IP Address or FQDN > - subject: - organizations: - - ABC-Company - organizationalUnits: - - StarlingX-system-restapi-gui - ipAddresses: - - < oam floating IP address > - dnsNames: - - < oam floating FQDN > - EOF - - -#. Apply the configuration. - - .. code-block:: - - ~(keystone_admin)]$ kubectl apply -f restapi-certificate.yaml - - -#. Verify the configuration. - - .. code-block:: - - ~(keystone_admin)]$ kubectl get certificate system-restapi-gui-certificate -n deployment - - If configuration was successful, the certificate's Ready status will be - ``True``. - -.. rubric:: |result| - -The REST and Web Server certificate installation is now complete, and -Cert-Manager will handle the lifecycle management of the certificate. - ---------------------------------------------------------------------------- -Limitations for using IPv6 addresses related to management and OAM networks ---------------------------------------------------------------------------- - -.. include:: /shared/_includes/cert-mgmt-ipv6-address-limitation-1a4504370674.rest +After bootstrap, this certificate's fields can be updated using the procedure +:ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`. The +certificate will be managed by cert-manager (auto renewed upon expiration). +The certificate will be anchored by ``system-local-ca``'s Root |CA|. For more +information, refer to +:ref:`system-local-ca-issuer-9196c5794834`. \ No newline at end of file