Merge "Certificates overview update"
This commit is contained in:
Zuul
Gerrit Code Review
commit
4b4e6fcf15
@ -60,21 +60,21 @@ present on |DC| SystemController systems or |DC| Subclouds.
|
||||
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
|
||||
| |prod| |
|
||||
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
|
||||
| system-local-ca | The |CA| certificate used to create Cert-Manager ClusterIssuer for signing a variety of |prod| server certificates | Yes | NOT AUTO-RENEWED. MUST be renewed via CLI |
|
||||
| | For Laboratory environment, K8s Root CA Certificate is used by default. For product environment, the CA certificate should | | |
|
||||
| | be set to an Intermediate CA Cert/Key that has been signed by an external public Root CA. For information on how to | | |
|
||||
| | update system-local.ca, see :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`. | | |
|
||||
| system-local-ca | The |CA| certificate used to create Cert-Manager ClusterIssuer for signing a variety of StarlingX server certificates. | Yes | NOT AUTO-RENEWED. MUST be renewed via CLI |
|
||||
| | For Laboratory environment, K8s Root CA Certificate is used by default. For product environment, the |CA| certificate should be set | | |
|
||||
| | to an Intermediate |CA| Cert/Key that has been signed by an external public Root |CA| at bootstrap through overrides or through the proper update procedure. | | |
|
||||
| | For information on ``system-local-ca``, see :ref:`starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834`. | | |
|
||||
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
|
||||
| system-openldap-local-certificate | Certificate used by OpenLDAP server to identify itself over HTTPS. It is typically signed by **system-local-ca**. Services such as | Yes | auto-renewed by system |
|
||||
| | |SSH|/|SSSD| that access OpenLDAP verify this serving certificate with **system-local-ca**. | | |
|
||||
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
|
||||
| ssl(restapi/gui)/system-restapi-gui-certificate | Certificate used by |prod| RESTAPI endpoints and GUI (Horizon) to identify themselves | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; |
|
||||
| ssl(restapi/gui)/system-restapi-gui-certificate | Certificate used by |prod| RESTAPI endpoints and GUI (Horizon) to identify themselves | Yes | auto-renewed |
|
||||
| | over HTTPS. It is typically signed by **system-local-ca**. Services such as external RESTAPI clients or | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI |
|
||||
| | external browsers that access |prod| RESTAPI endpoints and/or |prod| GUI (Horizon) verify | | |
|
||||
| | this serving certificate with **system-local-ca**. | | |
|
||||
| | | | |
|
||||
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
|
||||
| docker_registry/system-registry-local-certificate | Certificate used by Docker distribution server (registry.local ) to identify itself over HTTPS. | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; |
|
||||
| docker_registry/system-registry-local-certificate | Certificate used by Docker distribution server (registry.local ) to identify itself over HTTPS. | Yes | auto-renewed |
|
||||
| | | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI |
|
||||
| | It is typically signed by **system-local-ca**. Services such as internal and/or external clients of registry | | |
|
||||
| | that access registry.local verify this serving certificate with **system-local-ca**. | | |
|
||||
|
||||
Loading…
Reference in New Issue
Block a user