From f6a6f625c0369efcf560a666352694079e869919 Mon Sep 17 00:00:00 2001 From: Elisamara Aoki Goncalves Date: Fri, 13 Sep 2024 12:59:24 +0000 Subject: [PATCH] Certificates overview update Update documentation with certificates overview Update table with new info about system-local-ca, ssl and docker. Story: 2009811 Task: 50152 Change-Id: Icf990489f2dce5266defe31d4895e98638c10047 Signed-off-by: Elisamara Aoki Goncalves --- .../security/kubernetes/https-access-overview.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/source/security/kubernetes/https-access-overview.rst b/doc/source/security/kubernetes/https-access-overview.rst index a12893a23..02a55535a 100644 --- a/doc/source/security/kubernetes/https-access-overview.rst +++ b/doc/source/security/kubernetes/https-access-overview.rst @@ -60,21 +60,21 @@ present on |DC| SystemController systems or |DC| Subclouds. +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ | |prod| | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ - | system-local-ca | The |CA| certificate used to create Cert-Manager ClusterIssuer for signing a variety of |prod| server certificates | Yes | NOT AUTO-RENEWED. MUST be renewed via CLI | - | | For Laboratory environment, K8s Root CA Certificate is used by default. For product environment, the CA certificate should | | | - | | be set to an Intermediate CA Cert/Key that has been signed by an external public Root CA. For information on how to | | | - | | update system-local.ca, see :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`. | | | + | system-local-ca | The |CA| certificate used to create Cert-Manager ClusterIssuer for signing a variety of StarlingX server certificates. | Yes | NOT AUTO-RENEWED. MUST be renewed via CLI | + | | For Laboratory environment, K8s Root CA Certificate is used by default. For product environment, the |CA| certificate should be set | | | + | | to an Intermediate |CA| Cert/Key that has been signed by an external public Root |CA| at bootstrap through overrides or through the proper update procedure. | | | + | | For information on ``system-local-ca``, see :ref:`starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834`. | | | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ | system-openldap-local-certificate | Certificate used by OpenLDAP server to identify itself over HTTPS. It is typically signed by **system-local-ca**. Services such as | Yes | auto-renewed by system | | | |SSH|/|SSSD| that access OpenLDAP verify this serving certificate with **system-local-ca**. | | | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ - | ssl(restapi/gui)/system-restapi-gui-certificate | Certificate used by |prod| RESTAPI endpoints and GUI (Horizon) to identify themselves | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; | + | ssl(restapi/gui)/system-restapi-gui-certificate | Certificate used by |prod| RESTAPI endpoints and GUI (Horizon) to identify themselves | Yes | auto-renewed | | | over HTTPS. It is typically signed by **system-local-ca**. Services such as external RESTAPI clients or | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI | | | external browsers that access |prod| RESTAPI endpoints and/or |prod| GUI (Horizon) verify | | | | | this serving certificate with **system-local-ca**. | | | | | | | | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ - | docker_registry/system-registry-local-certificate | Certificate used by Docker distribution server (registry.local ) to identify itself over HTTPS. | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; | + | docker_registry/system-registry-local-certificate | Certificate used by Docker distribution server (registry.local ) to identify itself over HTTPS. | Yes | auto-renewed | | | | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI | | | It is typically signed by **system-local-ca**. Services such as internal and/or external clients of registry | | | | | that access registry.local verify this serving certificate with **system-local-ca**. | | |