Merge "Add a note users to lock/unlock controller nodes after installing a ssl_ca"

2022-12-21 14:58:08 +00:00 · 2022-12-21 14:58:08 +00:00 · 27e9887a36
commit 27e9887a36
parent fbe184bd57 cfed9ee0dc
1 changed files with 17 additions and 0 deletions
--- a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst
+++ b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst
@ -43,6 +43,19 @@ Configure OIDC Auth Applications
      :ref:`starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834`)
      will be used to issue this certificate.

+      .. note::
+          If a signing |CA| is not a well-known trusted |CA|, you must ensure the
+          system trusts the |CA| by specifying it either during the bootstrap
+          phase of system installation, by specifying ``ssl_ca_cert: <certificate_file>``
+          in the ansible bootstrap overrides localhost.yml file, or by using the
+          :command:`system certificate-install -m ssl_ca <certificate_file>`
+          command.
+
+      Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>`
+      for installing a root |CA|, which includes instruction to `lock/unlock`
+      controller nodes when using :command:`system certificate-install`
+      command.
+
      .. important::
          The namespace for ``oidc-auth-apps`` must be ``kube-system``.

@ -244,6 +257,10 @@ Configure OIDC Auth Applications
          overrides ``localhost.yml`` file, or by using the :command:`system
          certificate-install -m ssl_ca dex-ca.pem` command.

+          Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>`
+          for installing a root |CA|, which includes instruction to `lock/unlock`
+          controller nodes when using :command:`system certificate-install`
+          command.

      #.  Create the secret, ``local-dex.tls``, with the certificate and key,
          to be used by the **oidc-auth-apps**, as well as the secret,