Add info to indicate that only certificates with RSA keys are supported

closes-bug: 2086733

Change-Id: I1f1719e213d70e5a30abdd40c63388f0e4379fac
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
This commit is contained in:
Suzana Fernandes 2024-11-05 19:44:39 +00:00
parent df5f959cf3
commit 3150cbaf6f
6 changed files with 30 additions and 2 deletions

View File

@ -476,4 +476,7 @@ Platform Issuer (system-local-ca)
subclouds, but the leaf certificates can still be configured with the
override ``system_platform_certificate`` in separate ways.
The data provided through ``system_local_ca_key`` has to contain a RSA
private key, in unencrypted |PEM| format.
.. include:: /_myincludes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest

View File

@ -105,6 +105,14 @@ Follow the steps below to manually upgrade the system controller:
Where ``<release-id>`` is ``starlingx-24.09.0`` for above software upload
example, or it can be found out by running :command:`software list`.
The platform issuer (system-local-ca) is required to have an RSA
certificate/private key pair before upgrading. If ``system-local-ca`` was
configured with a different type of certificate/private key, the upgrade
pre check will fail with an informative message. In this case, the
:ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d` procedure
needs to be executed to reconfigure ``system-local-ca`` with the RSA
certificate/private key targeting the ``SystemController`` and all subclouds.
By default, the upgrade process cannot run and is not recommended to run
with active alarms present. It is strongly recommended that you clear your
system of all alarms before doing an upgrade.

View File

@ -98,7 +98,7 @@ playbook are:
using, on how to create an Intermediate |CA| public certificate and
private key pair.
The 'system_local_ca_cert' override must provide either:
The ``system_local_ca_cert`` override must provide either:
- A single certificate, directly signed by the Root |CA|; or
@ -109,11 +109,16 @@ playbook are:
be included in this bundle.
The ``system_local_ca_key`` override must provide only the private
key for ``system-local-ca``. Only RSA and |ECDSA| keys are supported.
key for ``system-local-ca``. Only RSA is supported for the key, which
must be provided in unencrypted |PEM| format.
The duration of the Intermediate |CA| public certificate should be at
least 3 years. See *ica_duration* to modify this semantic check.
.. only:: partner
.. include:: /_includes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest
.. warning::
The private key for ``system-local-ca`` should be handled carefully,

View File

@ -58,6 +58,12 @@ standard configuration.
- The system should be patch current, that is, all the available patch
releases for the current major release should be deployed.
- The platform issuer (system-local-ca) must be configured with an RSA
certificate/private key. If ``system-local-ca`` was configured with a
different type of certificate/private key, use the
:ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d` procedure
to reconfigure it with the RSA certificate/private key.
.. rubric:: |proc|
#. For a duplex (dual controller) system, switch the activity from

View File

@ -139,6 +139,12 @@ to control and monitor their progress manually.
| <new-release-id> | True | available |
+--------------------------+-------+-----------+
- For a major release deployment, the platform issuer (system-local-ca) must be
configured beforehand with an RSA certificate/private key. If ``system-local-ca``
was configured with a different type of certificate/private key, use the
:ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d` procedure
to reconfigure it with RSA certificate/private key.
.. rubric:: |proc|
#. Create a software deployment orchestration strategy for a specified software