diff --git a/doc/source/_includes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest b/doc/source/_includes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest new file mode 100644 index 000000000..e69de29bb diff --git a/doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst b/doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst index 1732c1fe3..dc52cb56d 100644 --- a/doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst +++ b/doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst @@ -476,4 +476,7 @@ Platform Issuer (system-local-ca) subclouds, but the leaf certificates can still be configured with the override ``system_platform_certificate`` in separate ways. + The data provided through ``system_local_ca_key`` has to contain a RSA + private key, in unencrypted |PEM| format. + .. include:: /_myincludes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest \ No newline at end of file diff --git a/doc/source/dist_cloud/kubernetes/upgrading-the-systemcontroller-using-the-cli.rst b/doc/source/dist_cloud/kubernetes/upgrading-the-systemcontroller-using-the-cli.rst index 92794e2a4..c3ba21367 100644 --- a/doc/source/dist_cloud/kubernetes/upgrading-the-systemcontroller-using-the-cli.rst +++ b/doc/source/dist_cloud/kubernetes/upgrading-the-systemcontroller-using-the-cli.rst @@ -105,6 +105,14 @@ Follow the steps below to manually upgrade the system controller: Where ```` is ``starlingx-24.09.0`` for above software upload example, or it can be found out by running :command:`software list`. + The platform issuer (system-local-ca) is required to have an RSA + certificate/private key pair before upgrading. If ``system-local-ca`` was + configured with a different type of certificate/private key, the upgrade + pre check will fail with an informative message. In this case, the + :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d` procedure + needs to be executed to reconfigure ``system-local-ca`` with the RSA + certificate/private key targeting the ``SystemController`` and all subclouds. + By default, the upgrade process cannot run and is not recommended to run with active alarms present. It is strongly recommended that you clear your system of all alarms before doing an upgrade. diff --git a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst index 75796bc1e..c685338c4 100644 --- a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst +++ b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst @@ -98,7 +98,7 @@ playbook are: using, on how to create an Intermediate |CA| public certificate and private key pair. - The 'system_local_ca_cert' override must provide either: + The ``system_local_ca_cert`` override must provide either: - A single certificate, directly signed by the Root |CA|; or @@ -109,11 +109,16 @@ playbook are: be included in this bundle. The ``system_local_ca_key`` override must provide only the private - key for ``system-local-ca``. Only RSA and |ECDSA| keys are supported. + key for ``system-local-ca``. Only RSA is supported for the key, which + must be provided in unencrypted |PEM| format. The duration of the Intermediate |CA| public certificate should be at least 3 years. See *ica_duration* to modify this semantic check. + .. only:: partner + + .. include:: /_includes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest + .. warning:: The private key for ``system-local-ca`` should be handled carefully, diff --git a/doc/source/updates/kubernetes/manual-host-software-deployment-ee17ec6f71a4.rst b/doc/source/updates/kubernetes/manual-host-software-deployment-ee17ec6f71a4.rst index 640c33fc7..4f9f02ae9 100644 --- a/doc/source/updates/kubernetes/manual-host-software-deployment-ee17ec6f71a4.rst +++ b/doc/source/updates/kubernetes/manual-host-software-deployment-ee17ec6f71a4.rst @@ -58,6 +58,12 @@ standard configuration. - The system should be patch current, that is, all the available patch releases for the current major release should be deployed. +- The platform issuer (system-local-ca) must be configured with an RSA + certificate/private key. If ``system-local-ca`` was configured with a + different type of certificate/private key, use the + :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d` procedure + to reconfigure it with the RSA certificate/private key. + .. rubric:: |proc| #. For a duplex (dual controller) system, switch the activity from diff --git a/doc/source/updates/kubernetes/orchestrated-deployment-host-software-deployment-d234754c7d20.rst b/doc/source/updates/kubernetes/orchestrated-deployment-host-software-deployment-d234754c7d20.rst index f008180d3..df58b6676 100644 --- a/doc/source/updates/kubernetes/orchestrated-deployment-host-software-deployment-d234754c7d20.rst +++ b/doc/source/updates/kubernetes/orchestrated-deployment-host-software-deployment-d234754c7d20.rst @@ -139,6 +139,12 @@ to control and monitor their progress manually. | | True | available | +--------------------------+-------+-----------+ +- For a major release deployment, the platform issuer (system-local-ca) must be + configured beforehand with an RSA certificate/private key. If ``system-local-ca`` + was configured with a different type of certificate/private key, use the + :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d` procedure + to reconfigure it with RSA certificate/private key. + .. rubric:: |proc| #. Create a software deployment orchestration strategy for a specified software