starlingx/docs
Code Issues Proposed changes

Cleanup of 'system' certificate CLI/RestAPI

Browse Source 
Remove deprecated CLIs.

Story: 2010848
Task: 50153

Change-Id: Ia5e160d6bf80a3ae80b5cbf6a6a6a0c3365bd8b3
Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
This commit is contained in:
Elisamara Aoki Goncalves 2024-06-20 13:32:11 +00:00
parent 684643bf49
commit 7286dd31c1
8 changed files with 181 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/source/dist_cloud/kubernetes/shared-configurations.rst
View File

@ -32,7 +32,7 @@ for resources of the Keystone Identity Service (see :ref:`Table 2
+-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| **sysadmin** Password | The **sysadmin** password may take up to 10 minutes to sync with the controller. The **sysadmin** password is not modified via the :command:`system` command. It is modified using the regular Linux :command:`passwd` command. |
+-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Certificates | Subclouds use the Trusted |CA| certificates installed on the System Controller using the :command:`system certificate-install -m ssl_ca` command. |
| Certificates | Subclouds use the Trusted CA certificates installed on the System Controller using the system ca-certificate-install command. |
+-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

28
doc/source/security/kubernetes/add-a-trusted-ca.rst
View File

@ -61,7 +61,7 @@ and the file may contain one or more |CA| certificates.
.. _add-a-trusted-ca-section-N10047-N1001C-N10001:
-------------------------------------------
System CLI Trusted CA certificate install
System CLI Trusted CA Certificate Install
-------------------------------------------
After installation, adding a trusted |CA| to the |prod| system may be required.
@ -74,11 +74,11 @@ including multiple |CA| certificates in the specified |PEM| file.
The certificate must be in |PEM| file format.
From the command line, run the :command:`certificate-install` command.
From the command line, run the :command:`ca-certificate-install` command.
.. code-block:: none
~(keystone_admin)]$ system certificate-install -m ssl_ca <trusted-ca-bundle-pem-file>
~(keystone_admin)]$ system ca-certificate-install <trusted-ca-bundle-pem-file>
where ``<trusted-ca-bundle-pem-file>`` contains 1 or more public certificates
of |CAs| that should be trusted by |prod|.
@ -110,15 +110,14 @@ For example:
.. note::
Installing a new ``ssl_ca`` with ``system certificate-install -m ssl_ca``
or deleting an old ``ssl_ca`` with ``system certificate-uninstall`` must be
followed by locking and unlocking all controller nodes for the change to
take effect.
Installing a new ``ssl_ca with system ca-certificate-install`` or deleting
an old ``ssl_ca with system ca-certificate-uninstall`` must be followed by
locking and unlocking all controller nodes for the change to take effect.
.. _add-a-trusted-ca-section-phr-jw4-3mb:
---------------------------------------------
System CLI Trusted CA certificate uninstall
System CLI Trusted CA Certificate Uninstall
---------------------------------------------
To remove a Trusted |CA| Certificate, first list the trusted |CAs| by
@ -126,7 +125,7 @@ running the following command:
.. code-block:: none
~(keystone_admin)]$ system certificate-list
~(keystone_admin)]$ system ca-certificate-list
where, all entries with certtype = ssl_ca are trusted |CA| certificates.
@ -135,19 +134,18 @@ running the following command:
.. code-block:: none
~(keystone_admin)]$ system certificate-uninstall -m ssl_ca <UUID>
~(keystone_admin)]$ system ca-certificate-uninstall <UUID>
where, <UUID> is the UUID of the ssl_ca certtype to be removed.
.. note::
Installing a new ``ssl_ca`` with ``system certificate-install -m ssl_ca``
or deleting an old ``ssl_ca`` with ``system certificate-uninstall`` must be
followed by locking and unlocking all controller nodes for the change to
take effect.
Installing a new ``ssl_ca with system ca-certificate-install`` or deleting
an old ``ssl_ca with system ca-certificate-uninstall`` must be followed by
locking and unlocking all controller nodes for the change to take effect.
------------------------------------
Update/Renew trusted CA certificates
Update/Renew Trusted CA Certificates
------------------------------------
.. warning::

4
doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst
View File

@ -91,12 +91,12 @@ Update the following fields:
See the example below where a Root |CA| ``system-local-ca`` was used to sign
the ``system-registry-local-certificate``, the ``ca.crt`` of the
``system-local-ca`` SECRET is extracted and added as a trusted |CA| for
|prod| (i.e. ``system certificate-install -m ssl_ca``).
|prod| (i.e. ``system ca-certificate-install``).
.. code-block:: none
~(keystone_admin)]$ kubectl -n cert-manager get secret system-local-ca -o yaml | fgrep tls.crt | awk '{print $2}' | base64 --decode >> system-local-ca.pem
~(keystone_admin)]$ system certificate-install -m ssl_ca system-local-ca.pem
~(keystone_admin)]$ system ca-certificate-install system-local-ca.pem
.. rubric:: |result|

13
doc/source/security/kubernetes/configure-oidc-auth-applications.rst
View File

@ -50,12 +50,13 @@ Configure OIDC Auth Applications
will be used to issue this certificate.
.. note::
If a signing |CA| is not a well-known trusted |CA|, you must ensure the
system trusts the |CA| by specifying it either during the bootstrap
phase of system installation, by specifying ``ssl_ca_cert: <certificate_file>``
in the ansible bootstrap overrides localhost.yml file, or by using the
:command:`system certificate-install -m ssl_ca <certificate_file>`
command.
If a signing |CA| is not a well-known trusted |CA|, you must ensure
the system trusts the |CA| by specifying it either during the
bootstrap phase of system installation, by specifying ``ssl_ca_cert:
<certificate_file>`` in the ansible bootstrap overrides
``localhost.yml`` file, or by using the
:command:`system ca-certificate-install <certificate_file>` command.
Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>`
for installing a root |CA|, which includes instruction to `lock/unlock`

2
doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst
View File

@ -54,7 +54,7 @@ The command to add |WAD| |CA| certificate:
.. code-block:: none
system certificate-install --mode ssl_ca <AD CA certificate file>
system ca-certificate-install <AD CA certificate file>
---------------------
Add Remote WAD Domain

154
doc/source/security/kubernetes/utility-script-to-display-certificates.rst
View File

@ -63,7 +63,7 @@ For example:
Issue Date : Jul 6 16:15:30 2023 GMT
Expiry Date : Oct 4 16:15:30 2023 GMT
Residual Time : 89d
… etc
@ -91,10 +91,162 @@ For example,
Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d
---------------------------------------------------------------------------------------
The command ``system certificate-list`` can be used to list the platform
certificates present on the |prod| system with details such as expiry date,
residual time, subject, issuer and renewal behaviour (manual or automatic).
The :command:`system certificate-list` command has the following options:
- ``system certificate-list --expired`` lists the expired certificates.
- ``system certificate-list --soon_to_expiry <N>`` lists the certificates
expiring in given <N> days.
For example:
.. code-block:: none
[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-list
+------------------------------------------------------------+
admin_conf_client
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 03 09:26:57 2024
Expiry Date : June 07 12:17:19 2025
Issuer : CN=starlingx
Subject : CN=kubernetes-admin,O=system:masters
Renewal : Automatic
File Path : /etc/kubernetes/admin.conf
+------------------------------------------------------------+
apiserver
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 03 09:26:57 2024
Expiry Date : June 07 12:17:17 2025
Issuer : CN=starlingx
Subject : CN=kube-apiserver
Renewal : Automatic
File Path : /etc/kubernetes/pki/apiserver.crt
+------------------------------------------------------------+
..etc
The command ``system k8s-certificate-list`` can be used to list all k8s
tls/opaque type certificates present on the |prod| system with details such as
expiry date, residual time, subject, issuer and renewal behaviour (manual or
automatic).
The :command:`system k8s-certificate-list` command has the following options:
- ``system k8s-certificate-list --expired`` lists the expired certificates.
- ``system k8s-certificate-list --soon_to_expiry <N>`` lists the certificates
expiring in given <N> days.
For example:
.. code-block:: none
[sysadmin@controller-0 ~(keystone_admin)]$ system k8s-certificate-list
+------------------------------------------------------------+
cm-cert-manager-webhook-ca/ca.crt
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 07 12:22:41 2024
Expiry Date : June 07 12:22:41 2025
Issuer : CN=cert-manager-webhook-ca
Subject : CN=cert-manager-webhook-ca
Namespace : cert-manager
Secret : cm-cert-manager-webhook-ca
Renewal : Automatic
Secret Type : Opaque
+------------------------------------------------------------+
cm-cert-manager-webhook-ca/tls.crt
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 07 12:22:41 2024
Expiry Date : June 07 12:22:41 2025
Issuer : CN=cert-manager-webhook-ca
Subject : CN=cert-manager-webhook-ca
Namespace : cert-manager
Secret : cm-cert-manager-webhook-ca
Renewal : Automatic
Secret Type : Opaque
+------------------------------------------------------------+
..etc
The command ``system certificate-show <certificate name>`` shows the full
details of the certificate, the certificate name can be picked from ``system
certificate-list`` output.
For example:
.. code-block:: none
[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-show system-restapi-gui-certificate
Certificate:
Residual Time: 84d
Version: v3
Serial Number: 0xf6de1076c4f523ae530b39730c61a769
Issuer: CN=starlingx
Validity:
Not Before: June 07 12:25:25 2024
Not After: September 05 12:25:25 2024
Subject: CN=system-restapi-gui,O=starlingx,L=78269f12243d4b19b1bf5687e2359c5a
Subject Public Key Info:
key_size: (2048 bit)
X509v3 extensions:
X509v3 Key Usage:
values: Digital Signature, Key Encipherment
critical: True
X509v3 Basic Constraints:
CA: False
critical: True
X509v3 Authority Key Identifier:
keyid: a783e3e1c720c9b5dc2537b07f90a49b0ecdf744
X509v3 Subject Alternative Name:
DNS: ['78269f12243d4b19b1bf5687e2359c5a.starlingx.local']
IP Address: ['10.10.10.12']
Signature Algorithm: sha256WithRSAEncryption
Signature: 02ac2fe1e454ff0116fff400f24bb1845872b84d44ff47a40e3989d2085e0e306c903a1290f8f3bddf2cb320d5387ce64e4b50d8b3269ab70d6dbb760ecbd566f0fbf644c24f258cce4e0f1987e3636fe88a00ce99b416b47a372b28424367ceef9b04d52b279be2305070c6a92c848de6f50dd046876475c1604fdf630e72f47aba051b30983cf046b69f7c7ddb5fe396cf41955d40bc263640e2d85bba5a10602a7962c69397e30a3ebf6080df6aea2fa4ce380aa413ed89b96f3b3f3d54ee8ddaa477f5d41fd3d2f55231ebc35e76ae9f65db39e24fa07d0c2d7b4f5588daa8da92ff3fd03a240a7e7a70e31d619a1a659c709ed293451e111a316703264cf80a023acb0aa7790828c1508cf88aabf2c02b097d5f7afb077a7759b85a204bfc672c33bcbc07b6a16fc6f756721de043917e7a9de6ca38f99d421232a3302f03b762c3a9847d0a2aa25af47b39b2eca469c5f309a99931234551b7c29f9e119215970e30bb55ad4263f4745751fb927fb98c3c463a2f403686c90a6cac6db2f681e3e5c6951f43da1db8b7b2d9121a3bd49429ddbb72740a1f1a108e62e8add857f344d60cadfc47abf1343f166d33d7083331913538d2881dbd9216763427722e9db4f10cc9952fc5d2f0998e4453925d9b84f3c2394c825eeb1bb8c63948bb2bb8c27165f81f585a4d023d139a8413c235dd8d4cd8cae418f9764c66ad0e
File Path: /etc/ssl/private/server-cert.pem
Renewal: Automatic
Namespace: deployment
Secret: system-restapi-gui-certificate
The command ``system k8s-certificate-show <certficate name>`` shows the full
details of the k8s certificate, the certificate name can be picked from ``system
k8s-certificate-list`` output.
For example:
.. code-block:: none
[sysadmin@controller-0 ~(keystone_admin)]$ system k8s-certificate-show system-local-ca
Certificate:
Residual Time: 3640d
Version: v3
Serial Number: 0x3cb901b2b670bf0996d2c4f52c6d809e061d03d4
Issuer: CN=starlingx
Validity:
Not Before: June 03 09:26:57 2024
Not After: June 01 09:26:57 2034
Subject: CN=starlingx
Subject Public Key Info:
key_size: (4096 bit)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS: ['starlingx']
X509v3 Key Usage:
values: Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA: True
critical: True
Signature Algorithm: sha256WithRSAEncryption
Signature: af88723bb84c1f5b9ebe62e257564990be3b379e156e1c45203cbf10c05c09e03325b2f59c752a61a3289f32b2dbcc580bba16e13bc02137ff18b27c1f6e7ccc2a9e7243dcfaf7ea16ae0764fd30f915d95b428248be5bdcc4a9a8972d538ce2314e29339759b06f739ef06941af54450fc830aef5be9dd214962959aefc6b6dc22dba2ce2f87b5c763817c9d33bcf2c189e59fc7abad455aef3ad18525d9f8f47938b8d47056bcb513d414fe2f7713b6b8ee37e8999ea48c2529043ec7871fa079d7374b894a5410090c5fe8ad3e08b7b3649cac550b9ce732ec0e0739ac3de4c1eca8d83d3c44bf30841a1a469d5bfba5743f5f1d5260e73057027d4c5ad97a955d8a55f72733c941a30402f92454be97725acabba199a92a723a44aa1f32c86e274944641b5665f4d09ecae46d2d8b6ac100e690d763b1172406e9e3db0f6f3070fa66af43de449b4a1e4c34b2e3329c878138b2078c22facb940ade27372d17354f35dabf406ec7925dba4e60c49139fa99e6f4386eb245c3be5827dd6fea4988bdb11bb684da4d5584a87b7a479cded665de87f8b479fb81430f3bb6443e54051f477465343e1e3c77bb590ee6d87ce5b7f39bf417e047f7acc3ac7aff5e389b317bf0ef79c87f37fe951c06bc431afb450c69be8761b90fca5b46d936a521b728320f6073a9811334581ca977b7f75f7c5b02db5091edd220b77060273
Namespace: cert-manager
Secret: system-local-ca
Renewal: Manual
Secret Type: kubernetes.io/tls

2
doc/source/security/openstack/install-a-trusted-ca-certificate.rst
View File

@ -21,7 +21,7 @@ service REST API endpoints.
.. code-block:: none
~(keystone_admin)$ system certificate-install -m openstack_ca <certificate_file>
~(keystone_admin)$ system os-certificate-install -m ca certificate_file>
where ``<certificate_file>`` contains a single |CA| certificate to be trusted.

6
doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
View File

@ -66,9 +66,9 @@ Horizon endpoints by configuring a certificate for these endpoints.
.. code-block:: none
~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem
~(keystone_admin)$ system ca-certificate-install openstack-ca-cert.pem
~(keystone_admin)$ system os-certificate-install -m ca openstack-ca-cert.pem
~(keystone_admin)$ system os-certificate-install -m server openstack-cert-key.pem
#. Apply the Helm chart overrides containing the certificate changes.