Editorial updates on Security Guide upstream

Acted on Greg's comments

Patch 1: Deleted duplicated docs and corrected references to fix build failure

Patch 2: Acted on Greg's and Ron's comments.

Patch 3: Acted on Greg's comment.

Patch 4: Acted on Mary's comments.

Patch 5: Solved merge conflict.

Patch 6: Worked on Mary's comments.

Patch 7: Fixed build conflict.

Patch 8: Worked on Mary's comments.

https://review.opendev.org/c/starlingx/docs/+/792461

Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com>
Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4
This commit is contained in:
egoncalv 2021-05-20 14:11:59 -03:00
parent b0906101ef
commit 5579744656
27 changed files with 171 additions and 426 deletions

View File

@ -34,10 +34,12 @@ for the external Root CA that you are using, on how to create public
certificate and private key pairs, signed by an intermediate or Root CA, for
HTTPS.
.. xreflink For lab purposes, see |sec-doc|: :ref:`Locally Creating
Certificates <creating-certificates-locally-using-openssl>` to create a
Intermediate or test Root CA certificate and key, and use it to sign test
certificates.
.. xreflink
For lab purposes, see |sec-doc|: :ref:`Create Certificates Locally
using openssl <create-certificates-locally-using-openssl>` to create an
Intermediate or test Root CA certificate and key, and use it to sign test
certificates.
Put the Privacy Enhanced Mail \(PEM\) encoded versions of the certificate and
key in a single file, and copy the file to the controller host.

View File

@ -2,9 +2,9 @@
.. ibp1552572465781
.. _about-keystone-accounts:
=======================
About Keystone Accounts
=======================
=================
Keystone Accounts
=================
|prod| uses tenant accounts and user accounts to identify and manage access to
StarlingX resources, and images in the Local Docker Registry.

View File

@ -2,9 +2,9 @@
.. qfk1564403051860
.. _add-a-trusted-ca:
================
Add a Trusted CA
================
==============================
Manage Trusted CA Certificates
==============================
Generally a trusted |CA| certificate needs to be added if |prod| clients on
the hosts will be connecting to server\(s\) secured with SSL and whose

View File

@ -0,0 +1,17 @@
.. _cert-manager-post-installation-setup:
====================================
Cert-Manager Post Installation Setup
====================================
.. toctree::
:maxdepth: 1
firewall-port-overrides
enable-public-use-of-the-cert-manager-acmesolver-image
enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace
enable-the-use-of-cert-manager-apis-by-an-arbitrary-user

View File

@ -2,9 +2,9 @@
.. cms1597171128588
.. _configure-vault-using-the-cli:
=============================
Configure Vault Using the CLI
=============================
===================================
Configure Vault Using the Vault CLI
===================================
After Vault has been installed, you can configure Vault for use with |prod|
using the |CLI|. This section describes the minimum configuration

View File

@ -2,9 +2,9 @@
.. xgp1596216287484
.. _configure-vault:
===============
Configure Vault
===============
========================================
Configure Vault Using the Vault REST API
========================================
After Vault has been installed, you can configure Vault for use by hosted
Kubernetes applications on |prod|. This section describes the minimum

View File

@ -15,6 +15,10 @@ namespaces.
A cluster-admin ClusterRole is defined by default for such a user. To create
an admin service account with cluster-admin role, use the following procedure:
.. note::
It is recommended that you create and manage service accounts within the
kube-system namespace.
.. rubric:: |proc|
#. Create the user definition.
@ -61,3 +65,8 @@ an admin service account with cluster-admin role, use the following procedure:
access using tools such as :command:`kubectl` and :command:`helm` for a
service account such as this.
.. note::
|prod| can also use user accounts defined in an external Windows Active
Directory to authenticate Kubernetes API, :command:`kubectl` CLI or the
Kubernetes Dashboard. For more information, see :ref:`Configure OIDC
Auth Applications <configure-oidc-auth-applications>`.

View File

@ -1,108 +0,0 @@
.. qtr1594910639395
.. _creating-certificates-locally-using-cert-manager-on-the-controller:
================================================================
Create Certificates Locally using cert-manager on the Controller
================================================================
You can use :command:`cert-manager` to locally create certificates suitable for
use in a lab environment.
.. rubric:: |proc|
#. Create a Root |CA| Certificate and Key.
#. Create a self-signing issuer.
.. code-block:: none
$ echo "
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: my-selfsigning-issuer
spec:
selfSigned: {}
" | kubectl apply -f -
#. Create a Root |CA| certificate and key.
.. code-block:: none
$ echo "
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: my-rootca-certificate
spec:
secretName: my-rootca-certificate
commonName: "my-rootca"
isCA: true
issuerRef:
name: my-selfsigning-issuer
kind: Issuer
" | kubectl apply -f -
#. Create a Root |CA| Issuer.
.. code-block:: none
$ echo "
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: my-rootca-issuer
spec:
ca:
secretName: my-rootca-certificate
" | kubectl apply -f -
#. Create files for the Root |CA| certificate and key.
.. code-block:: none
$ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem
$ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem
#. Create and sign a Server certificate and key
#. Create the Server certificate and key.
.. code-block:: none
$ echo "
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: my-server-certificate
spec:
secretName: my-server-certificate
duration: 2160h # 90d
renewBefore: 360h # 15d
organization:
- WindRiver
commonName: 1.1.1.1
dnsNames:
- myserver.wrs.com
ipAddresses:
- 1.1.1.1
issuerRef:
name: my-rootca-issuer
kind: Issuer
" | kubectl apply -f -
#. Create the |PEM| files for Server certificate and key.
.. code-block:: none
$ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem
$ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem
#. Combine the server certificate and key in a single file.
.. code-block:: none
$ cat my-server-cert.pem my-server-key.pem > my-server.pem

View File

@ -1,64 +0,0 @@
.. rmn1594906401238
.. _creating-certificates-locally-using-openssl:
=========================================
Create Certificates Locally using openssl
=========================================
You can use :command:`openssl` to locally create certificates suitable for use
in a lab environment.
.. rubric:: |proc|
.. _creating-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb:
#. Create a Root |CA| Certificate and Key
#. Create the Root |CA| private key.
.. code-block:: none
$ openssl genrsa -out my-root-ca-key.pem 2048
#. Generate the Root |CA| x509 certificate.
.. code-block:: none
$ openssl req -x509 -new -nodes -key my-root-ca-key.pem -days 1024 -out my-root-ca-cert.pem -outform PEM
#. Create and sign a server certificate and key.
#. Create the server private key.
.. code-block:: none
$ openssl genrsa -out my-server-key.pem 2048
#. Create the Server certificate signing request \(csr\).
Specify CN=<WRCP-OAM-Floating-IP> and do **not** specify a challenge
password.
.. code-block:: none
$ openssl req -new -key my-server-key.pem -out my-server.csr
#. Create the |SANs| list.
.. code-block:: none
$ echo subjectAltName = IP:<WRCP-OAM-Floating-IP>,DNS:registry.local,DNS:registry.central > extfile.cnf
#. Use the my-root-ca to sign the server certificate.
.. code-block:: none
$ openssl x509 -req -in my-server.csr -CA my-root-ca-cert.pem -CAkey my-root-ca-key.pem -CAcreateserial -out my-server-cert.pem -days 365 -extfile extfile.cnf
#. Put the server certificate and key in a single file.
.. code-block:: none
$ cat my-server-cert.pem my-server-key.pem > my-server.pem

View File

@ -14,19 +14,10 @@ These include:
.. _https-access-overview-ul-eyn-5ln-gjb:
- |prod| REST API applications and the |prod| web administration server
- Kubernetes API
- Local Docker registry
.. contents::
:local:
:depth: 1
You can also add a trusted Certificate Authority \(CA\) for the |prod| system.
.. _https-access-overview-section-N10048-N10024-N10001:
-------------------------------------------------------

View File

@ -7,57 +7,13 @@ System Accounts
***************
.. toctree::
:maxdepth: 1
:maxdepth: 2
types-of-system-accounts
overview-of-system-accounts
kube-service-account
keystone-accounts
remote-windows-active-directory-accounts
Linux User Accounts
*******************
.. toctree::
:maxdepth: 1
the-sysadmin-account
local-ldap-linux-user-accounts
create-ldap-linux-accounts
remote-access-for-linux-accounts
password-recovery-for-linux-user-accounts
establish-keystone-credentials-from-a-linux-account
estabilish-credentials-for-linux-user-accounts
starlingx-openstack-kubernetes-from-stsadmin-account-login
kubernetes-cli-from-local-ldap-linux-account-login
Kubernetes Service Accounts
***************************
.. toctree::
:maxdepth: 1
kubernetes-service-accounts
create-an-admin-type-service-account
Keystone Accounts
*****************
.. toctree::
:maxdepth: 1
about-keystone-accounts
keystone-account-authentication
manage-keystone-accounts
configure-the-keystone-token-expiration-time
password-recovery
Password Rules
**************
.. toctree::
:maxdepth: 1
starlingx-system-accounts-system-account-password-rules
*****************
@ -70,9 +26,6 @@ Access the System
configure-local-cli-access
remote-access-index
security-access-the-gui
configure-http-and-https-ports-for-horizon-using-the-cli
configure-horizon-user-lockout-on-failed-logins
install-the-kubernetes-dashboard
security-rest-api-access
connect-to-container-registries-through-a-firewall-or-proxy
@ -129,21 +82,18 @@ Firewall Options
.. toctree::
:maxdepth: 1
security-firewall-options
security-default-firewall-rules
security-firewall-options
*************************
Secure HTTPS Connectivity
*************************
.. toctree::
:maxdepth: 1
:maxdepth: 2
https-access-overview
starlingx-rest-api-applications-and-the-web-administration-server
enable-https-access-for-starlingx-rest-and-web-server-endpoints
install-update-the-starlingx-rest-and-web-server-certificate
secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm
kubernetes-root-ca-certificate
security-install-update-the-docker-registry-certificate
add-a-trusted-ca
@ -157,17 +107,7 @@ Cert Manager
security-cert-manager
the-cert-manager-bootstrap-process
Post Installation Setup
***********************
.. toctree::
:maxdepth: 1
firewall-port-overrides
enable-public-use-of-the-cert-manager-acmesolver-image
enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace
enable-the-use-of-cert-manager-apis-by-an-arbitrary-user
cert-manager-post-installation-setup
******************************
Portieris Admission Controller
@ -178,8 +118,8 @@ Portieris Admission Controller
portieris-overview
install-portieris
remove-portieris
portieris-clusterimagepolicy-and-imagepolicy-configuration
remove-portieris
********************************
Vault Secret and Data Management
@ -190,16 +130,9 @@ Vault Secret and Data Management
security-vault-overview
install-vault
remove-vault
Configure Vault
***************
.. toctree::
:maxdepth: 1
configure-vault
configure-vault-using-the-cli
remove-vault
**************************************
Encrypt Kubernetes Secret Data at Rest
@ -227,8 +160,6 @@ Operator Command Logging
:maxdepth: 1
operator-command-logging
operator-login-authentication-logging
operator-command-logging
****************
UEFI Secure Boot
@ -240,15 +171,6 @@ UEFI Secure Boot
overview-of-uefi-secure-boot
use-uefi-secure-boot
***********************
Trusted Platform Module
***********************
.. toctree::
:maxdepth: 1
tpm-configuration-considerations
***********************************
Authentication of Software Delivery
***********************************
@ -267,16 +189,6 @@ Security Feature Configuration for Spectre and Meltdown
security-feature-configuration-for-spectre-and-meltdown
***************************
Locally Create Certificates
***************************
.. toctree::
:maxdepth: 1
create-certificates-locally-using-openssl
create-certificates-locally-using-cert-manager-on-the-controller
*****************************
Security Hardening Guidelines
*****************************
@ -318,11 +230,11 @@ Security Features
isolate-starlingx-internal-cloud-management-network
***************************************
Appendix: Locally creating certifciates
Appendix: Locally creating certificates
***************************************
.. toctree::
:maxdepth: 1
creating-certificates-locally-using-cert-manager-on-the-controller
creating-certificates-locally-using-openssl
create-certificates-locally-using-openssl
create-certificates-locally-using-cert-manager-on-the-controller

View File

@ -2,9 +2,9 @@
.. law1570030645265
.. _install-update-the-starlingx-rest-and-web-server-certificate:
=================================================================
============================================================
Install/Update the StarlingX Rest and Web Server Certificate
=================================================================
============================================================
Use the following procedure to install or update the certificate for the REST
API application endpoints \(Keystone, Barbican and StarlingX\) and the web
@ -18,12 +18,10 @@ Intermediate or Root |CA| that you are using, on how to create public
certificate and private key pairs, signed by intermediate or a Root |CA|, for
HTTPS.
.. xbooklink
For lab purposes, see :ref:`Locally Creating Certificates
<creating-certificates-locally-using-openssl>` for how to create a test
intermediate or Root |CA| certificate and key, and use it to sign test
certificates.
For lab purposes, see :ref:`Create Certificates Locally using openssl
<create-certificates-locally-using-openssl>` for how to create a test
intermediate or Root |CA| certificate and key, and use it to sign test
certificates.
Put the |PEM| encoded versions of the certificate and key in a single file,
and copy the file to the controller host.

View File

@ -10,5 +10,13 @@ Keystone Accounts
StarlingX REST APIs, the |CLI|, the Horizon Web interface and the Local Docker
Registry. |prod|'s Keystone uses the default local SQL Backend.
See :ref:`About Keystone Accounts <about-keystone-accounts>` for more details.
See :ref:`Keystone Accounts <about-keystone-accounts>` for more details.
.. toctree::
:maxdepth: 1
about-keystone-accounts
keystone-account-authentication
manage-keystone-accounts
configure-the-keystone-token-expiration-time
password-recovery

View File

@ -9,6 +9,7 @@ Kubernetes Service Accounts
|prod| uses Kubernetes service accounts and |RBAC| policies for authentication
and authorization of users of the Kubernetes API, |CLI|, and Dashboard.
See :ref:`Kubernetes Service Accounts <kubernetes-service-accounts>` for more
details.
.. toctree::
:maxdepth: 1
create-an-admin-type-service-account

View File

@ -14,11 +14,9 @@ It is recommended that you update the Kubernetes Root |CA| and with a custom
Root |CA| certificate and key, generated by yourself, and trusted by external
servers connecting to the |prod|'s Kubernetes API endpoint.
.. xbooklink
See :ref:`Locally Creating Certificates
<creating-certificates-locally-using-openssl>` for how to create a
private Root |CA| certificate and key.
See :ref:`Create Certificates Locally using openssl
<create-certificates-locally-using-openssl>` for how to create a private Root
|CA| certificate and key.
.. caution::
The default duration for the generated Kubernetes Root CA certificate is 10
@ -41,16 +39,23 @@ certificate and key for the Kubernetes root |CA|.
Specifies the certificate for the Kubernetes root |CA|. The
<k8s\_root\_ca\_cert> value is the absolute path of the certificate
file. The certificate must be in |PEM| format and the value must be
provided as part of a pair with <k8s\_root\_ca\_key>. The playbook will
not proceed if only one value is provided.
provided as part of a pair with <k8s\_root\_ca\_key>.
**<k8s\_root\_ca\_key>**
Specifies the key for the Kubernetes root |CA|. The <k8s\_root\_ca\_key>
value is the absolute path of the certificate file. The certificate
must be in |PEM| format and the value must be provided as part of a pair
with <k8s\_root\_ca\_cert>. The playbook will not proceed if only one
value is provided.
with <k8s\_root\_ca\_cert>.
For example:
.. code-block:: none
k8s_root_ca_cert: /home/sysadmin/mystarlingx-k8s-rootca-certificate.pem
k8s_root_ca_key: /home/sysadmin/mystarlingx-k8s-rootca-certificate-key.pem
The playbook will not proceed if only one value is provided.
.. caution::
The default duration for the generated Kubernetes Root |CA|

View File

@ -1,27 +0,0 @@
.. oud1564679022947
.. _kubernetes-service-accounts:
===========================
Kubernetes Service Accounts
===========================
|prod| uses Kubernetes service accounts and Kubernetes |RBAC| policies to
identify and manage remote access to Kubernetes resources using the
Kubernetes API, kubectl CLI or the Kubernetes Dashboard.
.. note::
|prod| can also use user accounts defined in an external Windows Active
Directory to authenticate Kubernetes API, :command:`kubectl` CLI or the
Kubernetes Dashboard. For more information, see :ref:`Configure OIDC
Auth Applications <configure-oidc-auth-applications>`.
You can create and manage Kubernetes service accounts using
:command:`kubectl` as shown below.
.. note::
It is recommended that you create and manage service accounts within the
kube-system namespace. See :ref:`Create an Admin Type Service
Account <create-an-admin-type-service-account>`

View File

@ -9,42 +9,13 @@ Manage Keystone Accounts
See
`https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html
<https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html>`_
_ for details on managing Keystone projects, users, and roles.
for details on managing Keystone projects, users, and roles.
All Kubernetes accounts are subject to system password rules. For complete
details on password rules, see :ref:`System Account Password Rules
<starlingx-system-accounts-system-account-password-rules>`.
If you are using when changing the keystone 'admin' user password, you must:
.. only:: partner
.. _managing-keystone-accounts-ol-wyq-l4d-mmb:
#. If the **deployment-config.yaml** file has been moved off-box for security
reasons, upload the file back to the system to be updated.
.. warning::
The **deployment-config.yaml** file includes sensitive information
\(including system credentials and passwords\). For increased security,
it is recommended to store the **deployment-config.yaml** in a safe
location off-box. Upload the file to the system only when it is
required \(during initial configuration, and when reapplying an updated
configuration\).
#. Update the password in the 'system-endpoint' secret in the 's
deployment-config.yaml file, with the new keystone 'admin' user password.
Make this change to the OS\_PASSWORD value. It must be base64 encoded. For
example:
.. code-block:: none
OS_PASSWORD: U3Q4cmxpbmdYKg==
#. Apply the updated deployment configuration.
.. code-block:: none
kubectl apply -f deployment-config.yaml
#. \(Optional\) For security reasons, copy the updated
**deployment-config.yaml** file off-box and delete it from the system.
.. include:: /_includes/manage-keystone-accounts.rest

View File

@ -2,9 +2,9 @@
.. lgd1552571882796
.. _overview-of-system-accounts:
==================
Linux UserAccounts
==================
===================
Linux User Accounts
===================
A brief description of the system accounts available in a |prod| system.
@ -33,3 +33,18 @@ A brief description of the system accounts available in a |prod| system.
For security reasons, it is recommended that ONLY admin level users be
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
strictly use remote |CLIs| or remote web GUIs.
For more information, refer to the following:
.. toctree::
:maxdepth: 1
the-sysadmin-account
local-ldap-linux-user-accounts
create-ldap-linux-accounts
remote-access-for-linux-accounts
password-recovery-for-linux-user-accounts
estabilish-credentials-for-linux-user-accounts
establish-keystone-credentials-from-a-linux-account
starlingx-openstack-kubernetes-from-stsadmin-account-login
kubernetes-cli-from-local-ldap-linux-account-login

View File

@ -2,9 +2,9 @@
.. not1578924824783
.. _password-recovery:
=================
Password Recovery
=================
==========================
Keystone Password Recovery
==========================
.. rubric:: |context|

View File

@ -37,10 +37,8 @@ re-installed, in order to update the new standby controller's |TPM| device.
public certificate and private key pairs, signed by an intermediate or
Root-signed |CA|, for HTTPS.
.. xbooklink
For lab purposes, see :ref:`Locally Creating Certificates
<creating-certificates-locally-using-openssl>` for details on how to create
For lab purposes, see :ref:`Create Certificates Locally using openssl
<create-certificates-locally-using-openssl>` for details on how to create
a test intermediate or Root |CA| certificate and key, and use it to sign
test certificates.

View File

@ -44,3 +44,12 @@ from a browser.
<install-the-kubernetes-dashboard>` for information on how to install
the Kubernetes Dashboard and create a Kubernetes service account for
the admin user to use the dashboard.
For more information, refer to the following:
.. toctree::
:maxdepth: 1
configure-http-and-https-ports-for-horizon-using-the-cli
configure-horizon-user-lockout-on-failed-logins
install-the-kubernetes-dashboard

View File

@ -2,9 +2,9 @@
.. zlk1582057887959
.. _security-firewall-options:
================
Firewall Options
================
=======================
Modify Firewall Options
=======================
|prod| incorporates a default firewall for the |OAM| network. You can configure
additional Kubernetes Network Policies in order to augment or override the

View File

@ -2,11 +2,11 @@
.. vri1561486014514
.. _security-install-update-the-docker-registry-certificate:
==============================================
Install/Update the Docker Registry Certificate
==============================================
=================================
Local Docker Registry Certificate
=================================
The local docker registry provides secure HTTPS access using the registry API.
The local Docker registry provides secure HTTPS access using the registry API.
.. rubric:: |context|
@ -33,8 +33,10 @@ intermediate or Root |CA|. Refer to the documentation for the external Root
|CA| that you are using, on how to create public certificate and private key
pairs, signed by an intermediate or Root |CA|, for HTTPS.
For lab purposes, see Appendix A for how to create a test intermediate or Root
|CA| certificate and key, and use it to sign test certificates.
For lab purposes, see :ref:`Create Certificates Locally using openssl
<create-certificates-locally-using-openssl>` for how to create a test
intermediate or Root |CA| certificate and key, and use it to sign test
certificates.
Put the |PEM| encoded versions of the certificate and key in a single file,
and copy the file to the controller host.
@ -47,9 +49,9 @@ above certificate.
.. _security-install-update-the-docker-registry-certificate-d527e71:
#. In order to enable internal use of the docker registry certificate,
#. In order to enable internal use of the Docker registry certificate,
update the trusted |CA| list for this system with the Root |CA| associated
with the docker registry certificate.
with the Docker registry certificate.
.. code-block:: none
@ -58,15 +60,15 @@ above certificate.
where:
**<pathTocertificate>**
``<pathTocertificate>``
is the path to the intermediate or Root |CA| certificate associated
with the docker registry's intermediate or Root |CA|-signed
with the Docker registry's intermediate or Root |CA|-signed
certificate.
#. Update the docker registry certificate using the
#. Update the Docker registry certificate using the
:command:`certificate-install` command.
Set the mode \(-m or --mode\) parameter to docker\_registry.
Set the ``mode (-m or --mode)`` parameter to ``docker_registry``.
.. code-block:: none
@ -75,8 +77,8 @@ above certificate.
where:
**<pathTocertificateAndKey>**
is the path to the file containing both the docker registry's
``<pathTocertificateAndKey>``
is the path to the file containing both the Docker registry's
intermediate or Root CA-signed certificate and private key to install.

View File

@ -2,9 +2,9 @@
.. xlb1552573425956
.. _starlingx-rest-api-applications-and-the-web-administration-server:
=================================================================
StarlingX REST API Applications and the Web Administration Server
=================================================================
=============================================================================
StarlingX REST API Applications and the Web Administration Server Certificate
=============================================================================
|prod| provides support for secure HTTPS external connections used for
StarlingX REST API application endpoints \(Keystone, Barbican and
@ -29,3 +29,12 @@ recommended.
You can update the certificate used for HTTPS access at any time.
For more details, refer to:
.. toctree::
:maxdepth: 1
enable-https-access-for-starlingx-rest-and-web-server-endpoints
install-update-the-starlingx-rest-and-web-server-certificate
secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm
tpm-configuration-considerations

View File

@ -2,13 +2,16 @@
.. gks1588335341933
.. _the-cert-manager-bootstrap-process:
==================================
The cert-manager Bootstrap Process
==================================
=====================================
Configure cert-manager at Bootstrap
=====================================
Both nginx-ingress-controller and cert-manager are packaged as armada system
applications managed via :command:`system application-\*` and
:command:`system helm-override-\*` commands.
Both nginx-ingress-controller and cert-manager are installed at bootstrap time
with defaults appropriate to most use cases, but their configuration can be
modified at bootstrap.
Nginx-ingress-controller and cert-manager are packaged as armada system
applications.
Both system applications are uploaded and applied, by default, as part of
the bootstrap phase of the |prod-long| installation.
@ -25,10 +28,10 @@ contains the following definition:
As with other parameters in default.yml, you can override this definition in
$HOME/localhost.yml. In the case of the applications: parameter, do this to
$HOME/localhost.yml. In the case of the ``applications``: parameter, do this to
change the application helm overrides for an application.
The full general syntax for the applications: structure is:
The full general syntax for the ``applications:`` structure is:
.. code-block:: none
@ -47,7 +50,7 @@ The full general syntax for the applications: structure is:
namespace: kube-system
values-path: /home/sysinv/appTwo-ChartOne-overrides.yaml
If you do override applications: in $HOME/localhost.yml, note the following:
If you do override ``applications:`` in $HOME/localhost.yml, note the following:
.. _the-cert-manager-bootstrap-process-ul-o3j-vdv-nlb:
@ -59,7 +62,8 @@ If you do override applications: in $HOME/localhost.yml, note the following:
and must be in this order, otherwise bootstrap fails.
|org| recommends that you copy applications: from default.yml and add in any required overrides.
|org| recommends that you copy ``applications:`` from default.yml and add in
any required overrides.
At a high-level, the default configuration for the two mandatory applications is:
@ -69,11 +73,11 @@ At a high-level, the default configuration for the two mandatory applications is
- nginx-ingress-controller
- Runs as a DaemonSet only on masters/controllers
- Runs as a DaemonSet only on masters/controllers.
- Uses host networking, which means it can use any port numbers.
Does not change the nginx default ports of 80 and 443.
- Does not change the nginx default ports of 80 and 443.
- Has a default backend.
@ -88,13 +92,12 @@ At a high-level, the default configuration for the two mandatory applications is
- The deployment replicaCount is set to 1 for bootstrap.
.. note::
replicaCount can NOT be changed at bootstrap time. The second controller
must be configured and unlocked before replicaCount can be set to 2.
The Helm Chart Values that you can override are described at on the following web pages:
The Helm Chart Values that you can override are described on the following
web pages:
.. _the-cert-manager-bootstrap-process-ul-d4j-khv-nlb:

View File

@ -6,10 +6,7 @@
Types of System Accounts
========================
This Chapter describes the system accounts available in a |prod|
system.
For more information, see:
This Chapter describes the system accounts available in a |prod| system.
.. _types-of-system-accounts-ul-rms-mwk-znb:
@ -20,6 +17,3 @@ For more information, see:
- :ref:`Keystone Accounts <keystone-accounts>`
- :ref:`Remote Windows Active Directory Accounts <remote-windows-active-directory-accounts>`
- :ref:`Linux User Accounts <overview-of-system-accounts>`