From 7286dd31c149c2e0819167ebc5019334759120b3 Mon Sep 17 00:00:00 2001 From: Elisamara Aoki Goncalves Date: Thu, 20 Jun 2024 13:32:11 +0000 Subject: [PATCH] Cleanup of 'system' certificate CLI/RestAPI Remove deprecated CLIs. Story: 2010848 Task: 50153 Change-Id: Ia5e160d6bf80a3ae80b5cbf6a6a6a0c3365bd8b3 Signed-off-by: Elisamara Aoki Goncalves --- .../kubernetes/shared-configurations.rst | 2 +- .../security/kubernetes/add-a-trusted-ca.rst | 28 ++-- ...ficate-after-installation-c519edbfe90a.rst | 4 +- .../configure-oidc-auth-applications.rst | 13 +- .../kubernetes/sssd-support-5fb6c4b0320b.rst | 2 +- ...utility-script-to-display-certificates.rst | 154 +++++++++++++++++- .../install-a-trusted-ca-certificate.rst | 2 +- ...stall-rest-api-and-horizon-certificate.rst | 6 +- 8 files changed, 181 insertions(+), 30 deletions(-) diff --git a/doc/source/dist_cloud/kubernetes/shared-configurations.rst b/doc/source/dist_cloud/kubernetes/shared-configurations.rst index fb9309c6a..b56fab120 100644 --- a/doc/source/dist_cloud/kubernetes/shared-configurations.rst +++ b/doc/source/dist_cloud/kubernetes/shared-configurations.rst @@ -32,7 +32,7 @@ for resources of the Keystone Identity Service (see :ref:`Table 2 +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | **sysadmin** Password | The **sysadmin** password may take up to 10 minutes to sync with the controller. The **sysadmin** password is not modified via the :command:`system` command. It is modified using the regular Linux :command:`passwd` command. | +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Certificates | Subclouds use the Trusted |CA| certificates installed on the System Controller using the :command:`system certificate-install -m ssl_ca` command. | + | Certificates | Subclouds use the Trusted CA certificates installed on the System Controller using the system ca-certificate-install command. | +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/doc/source/security/kubernetes/add-a-trusted-ca.rst b/doc/source/security/kubernetes/add-a-trusted-ca.rst index 2a69d3960..f8092589a 100644 --- a/doc/source/security/kubernetes/add-a-trusted-ca.rst +++ b/doc/source/security/kubernetes/add-a-trusted-ca.rst @@ -61,7 +61,7 @@ and the file may contain one or more |CA| certificates. .. _add-a-trusted-ca-section-N10047-N1001C-N10001: ------------------------------------------- -System CLI – Trusted CA certificate install +System CLI – Trusted CA Certificate Install ------------------------------------------- After installation, adding a trusted |CA| to the |prod| system may be required. @@ -74,11 +74,11 @@ including multiple |CA| certificates in the specified |PEM| file. The certificate must be in |PEM| file format. -From the command line, run the :command:`certificate-install` command. +From the command line, run the :command:`ca-certificate-install` command. .. code-block:: none - ~(keystone_admin)]$ system certificate-install -m ssl_ca + ~(keystone_admin)]$ system ca-certificate-install where ```` contains 1 or more public certificates of |CAs| that should be trusted by |prod|. @@ -110,15 +110,14 @@ For example: .. note:: - Installing a new ``ssl_ca`` with ``system certificate-install -m ssl_ca`` - or deleting an old ``ssl_ca`` with ``system certificate-uninstall`` must be - followed by locking and unlocking all controller nodes for the change to - take effect. + Installing a new ``ssl_ca with system ca-certificate-install`` or deleting + an old ``ssl_ca with system ca-certificate-uninstall`` must be followed by + locking and unlocking all controller nodes for the change to take effect. .. _add-a-trusted-ca-section-phr-jw4-3mb: --------------------------------------------- -System CLI – Trusted CA certificate uninstall +System CLI – Trusted CA Certificate Uninstall --------------------------------------------- To remove a Trusted |CA| Certificate, first list the trusted |CAs| by @@ -126,7 +125,7 @@ running the following command: .. code-block:: none - ~(keystone_admin)]$ system certificate-list + ~(keystone_admin)]$ system ca-certificate-list where, all entries with certtype = ssl_ca are trusted |CA| certificates. @@ -135,19 +134,18 @@ running the following command: .. code-block:: none - ~(keystone_admin)]$ system certificate-uninstall -m ssl_ca + ~(keystone_admin)]$ system ca-certificate-uninstall where, is the UUID of the ssl_ca certtype to be removed. .. note:: - Installing a new ``ssl_ca`` with ``system certificate-install -m ssl_ca`` - or deleting an old ``ssl_ca`` with ``system certificate-uninstall`` must be - followed by locking and unlocking all controller nodes for the change to - take effect. + Installing a new ``ssl_ca with system ca-certificate-install`` or deleting + an old ``ssl_ca with system ca-certificate-uninstall`` must be followed by + locking and unlocking all controller nodes for the change to take effect. ------------------------------------ -Update/Renew trusted CA certificates +Update/Renew Trusted CA Certificates ------------------------------------ .. warning:: diff --git a/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst b/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst index bd29ab471..6bcac793b 100644 --- a/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst +++ b/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst @@ -91,12 +91,12 @@ Update the following fields: See the example below where a Root |CA| ``system-local-ca`` was used to sign the ``system-registry-local-certificate``, the ``ca.crt`` of the ``system-local-ca`` SECRET is extracted and added as a trusted |CA| for - |prod| (i.e. ``system certificate-install -m ssl_ca``). + |prod| (i.e. ``system ca-certificate-install``). .. code-block:: none ~(keystone_admin)]$ kubectl -n cert-manager get secret system-local-ca -o yaml | fgrep tls.crt | awk '{print $2}' | base64 --decode >> system-local-ca.pem - ~(keystone_admin)]$ system certificate-install -m ssl_ca system-local-ca.pem + ~(keystone_admin)]$ system ca-certificate-install system-local-ca.pem .. rubric:: |result| diff --git a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst index bc8fdb0d9..25c62e146 100644 --- a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst +++ b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst @@ -50,12 +50,13 @@ Configure OIDC Auth Applications will be used to issue this certificate. .. note:: - If a signing |CA| is not a well-known trusted |CA|, you must ensure the - system trusts the |CA| by specifying it either during the bootstrap - phase of system installation, by specifying ``ssl_ca_cert: `` - in the ansible bootstrap overrides localhost.yml file, or by using the - :command:`system certificate-install -m ssl_ca ` - command. + + If a signing |CA| is not a well-known trusted |CA|, you must ensure + the system trusts the |CA| by specifying it either during the + bootstrap phase of system installation, by specifying ``ssl_ca_cert: + `` in the ansible bootstrap overrides + ``localhost.yml`` file, or by using the + :command:`system ca-certificate-install ` command. Also refer to :ref:`Add a Trusted CA ` for installing a root |CA|, which includes instruction to `lock/unlock` diff --git a/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst b/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst index 4bca576f2..d154d124d 100644 --- a/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst +++ b/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst @@ -54,7 +54,7 @@ The command to add |WAD| |CA| certificate: .. code-block:: none - system certificate-install --mode ssl_ca + system ca-certificate-install --------------------- Add Remote WAD Domain diff --git a/doc/source/security/kubernetes/utility-script-to-display-certificates.rst b/doc/source/security/kubernetes/utility-script-to-display-certificates.rst index 2735bf1a3..055d87a6b 100644 --- a/doc/source/security/kubernetes/utility-script-to-display-certificates.rst +++ b/doc/source/security/kubernetes/utility-script-to-display-certificates.rst @@ -63,7 +63,7 @@ For example: Issue Date : Jul 6 16:15:30 2023 GMT Expiry Date : Oct 4 16:15:30 2023 GMT Residual Time : 89d - + … etc @@ -91,10 +91,162 @@ For example, Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d --------------------------------------------------------------------------------------- +The command ``system certificate-list`` can be used to list the platform +certificates present on the |prod| system with details such as expiry date, +residual time, subject, issuer and renewal behaviour (manual or automatic). + +The :command:`system certificate-list` command has the following options: + +- ``system certificate-list --expired`` lists the expired certificates. + +- ``system certificate-list --soon_to_expiry `` lists the certificates + expiring in given days. + +For example: + +.. code-block:: none + + [sysadmin@controller-0 ~(keystone_admin)]$ system certificate-list + +------------------------------------------------------------+ + admin_conf_client + +------------------------------------------------------------+ + Residual Time : 359d + Issue Date : June 03 09:26:57 2024 + Expiry Date : June 07 12:17:19 2025 + Issuer : CN=starlingx + Subject : CN=kubernetes-admin,O=system:masters + Renewal : Automatic + File Path : /etc/kubernetes/admin.conf + +------------------------------------------------------------+ + apiserver + +------------------------------------------------------------+ + Residual Time : 359d + Issue Date : June 03 09:26:57 2024 + Expiry Date : June 07 12:17:17 2025 + Issuer : CN=starlingx + Subject : CN=kube-apiserver + Renewal : Automatic + File Path : /etc/kubernetes/pki/apiserver.crt + +------------------------------------------------------------+ + ..etc + +The command ``system k8s-certificate-list`` can be used to list all k8s +tls/opaque type certificates present on the |prod| system with details such as +expiry date, residual time, subject, issuer and renewal behaviour (manual or +automatic). + +The :command:`system k8s-certificate-list` command has the following options: + +- ``system k8s-certificate-list --expired`` lists the expired certificates. + +- ``system k8s-certificate-list --soon_to_expiry `` lists the certificates + expiring in given days. + +For example: + +.. code-block:: none + + [sysadmin@controller-0 ~(keystone_admin)]$ system k8s-certificate-list + +------------------------------------------------------------+ + cm-cert-manager-webhook-ca/ca.crt + +------------------------------------------------------------+ + Residual Time : 359d + Issue Date : June 07 12:22:41 2024 + Expiry Date : June 07 12:22:41 2025 + Issuer : CN=cert-manager-webhook-ca + Subject : CN=cert-manager-webhook-ca + Namespace : cert-manager + Secret : cm-cert-manager-webhook-ca + Renewal : Automatic + Secret Type : Opaque + +------------------------------------------------------------+ + cm-cert-manager-webhook-ca/tls.crt + +------------------------------------------------------------+ + Residual Time : 359d + Issue Date : June 07 12:22:41 2024 + Expiry Date : June 07 12:22:41 2025 + Issuer : CN=cert-manager-webhook-ca + Subject : CN=cert-manager-webhook-ca + Namespace : cert-manager + Secret : cm-cert-manager-webhook-ca + Renewal : Automatic + Secret Type : Opaque + +------------------------------------------------------------+ + + ..etc +The command ``system certificate-show `` shows the full +details of the certificate, the certificate name can be picked from ``system +certificate-list`` output. + +For example: + +.. code-block:: none + + [sysadmin@controller-0 ~(keystone_admin)]$ system certificate-show system-restapi-gui-certificate + Certificate: + Residual Time: 84d + Version: v3 + Serial Number: 0xf6de1076c4f523ae530b39730c61a769 + Issuer: CN=starlingx + Validity: + Not Before: June 07 12:25:25 2024 + Not After: September 05 12:25:25 2024 + Subject: CN=system-restapi-gui,O=starlingx,L=78269f12243d4b19b1bf5687e2359c5a + Subject Public Key Info: + key_size: (2048 bit) + X509v3 extensions: + X509v3 Key Usage: + values: Digital Signature, Key Encipherment + critical: True + X509v3 Basic Constraints: + CA: False + critical: True + X509v3 Authority Key Identifier: + keyid: a783e3e1c720c9b5dc2537b07f90a49b0ecdf744 + X509v3 Subject Alternative Name: + DNS: ['78269f12243d4b19b1bf5687e2359c5a.starlingx.local'] + IP Address: ['10.10.10.12'] + Signature Algorithm: sha256WithRSAEncryption + Signature: 02ac2fe1e454ff0116fff400f24bb1845872b84d44ff47a40e3989d2085e0e306c903a1290f8f3bddf2cb320d5387ce64e4b50d8b3269ab70d6dbb760ecbd566f0fbf644c24f258cce4e0f1987e3636fe88a00ce99b416b47a372b28424367ceef9b04d52b279be2305070c6a92c848de6f50dd046876475c1604fdf630e72f47aba051b30983cf046b69f7c7ddb5fe396cf41955d40bc263640e2d85bba5a10602a7962c69397e30a3ebf6080df6aea2fa4ce380aa413ed89b96f3b3f3d54ee8ddaa477f5d41fd3d2f55231ebc35e76ae9f65db39e24fa07d0c2d7b4f5588daa8da92ff3fd03a240a7e7a70e31d619a1a659c709ed293451e111a316703264cf80a023acb0aa7790828c1508cf88aabf2c02b097d5f7afb077a7759b85a204bfc672c33bcbc07b6a16fc6f756721de043917e7a9de6ca38f99d421232a3302f03b762c3a9847d0a2aa25af47b39b2eca469c5f309a99931234551b7c29f9e119215970e30bb55ad4263f4745751fb927fb98c3c463a2f403686c90a6cac6db2f681e3e5c6951f43da1db8b7b2d9121a3bd49429ddbb72740a1f1a108e62e8add857f344d60cadfc47abf1343f166d33d7083331913538d2881dbd9216763427722e9db4f10cc9952fc5d2f0998e4453925d9b84f3c2394c825eeb1bb8c63948bb2bb8c27165f81f585a4d023d139a8413c235dd8d4cd8cae418f9764c66ad0e + File Path: /etc/ssl/private/server-cert.pem + Renewal: Automatic + Namespace: deployment + Secret: system-restapi-gui-certificate +The command ``system k8s-certificate-show `` shows the full +details of the k8s certificate, the certificate name can be picked from ``system +k8s-certificate-list`` output. +For example: +.. code-block:: none + [sysadmin@controller-0 ~(keystone_admin)]$ system k8s-certificate-show system-local-ca + Certificate: + Residual Time: 3640d + Version: v3 + Serial Number: 0x3cb901b2b670bf0996d2c4f52c6d809e061d03d4 + Issuer: CN=starlingx + Validity: + Not Before: June 03 09:26:57 2024 + Not After: June 01 09:26:57 2034 + Subject: CN=starlingx + Subject Public Key Info: + key_size: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS: ['starlingx'] + X509v3 Key Usage: + values: Digital Signature, Key Encipherment + X509v3 Basic Constraints: + CA: True + critical: True + Signature Algorithm: sha256WithRSAEncryption + Signature: af88723bb84c1f5b9ebe62e257564990be3b379e156e1c45203cbf10c05c09e03325b2f59c752a61a3289f32b2dbcc580bba16e13bc02137ff18b27c1f6e7ccc2a9e7243dcfaf7ea16ae0764fd30f915d95b428248be5bdcc4a9a8972d538ce2314e29339759b06f739ef06941af54450fc830aef5be9dd214962959aefc6b6dc22dba2ce2f87b5c763817c9d33bcf2c189e59fc7abad455aef3ad18525d9f8f47938b8d47056bcb513d414fe2f7713b6b8ee37e8999ea48c2529043ec7871fa079d7374b894a5410090c5fe8ad3e08b7b3649cac550b9ce732ec0e0739ac3de4c1eca8d83d3c44bf30841a1a469d5bfba5743f5f1d5260e73057027d4c5ad97a955d8a55f72733c941a30402f92454be97725acabba199a92a723a44aa1f32c86e274944641b5665f4d09ecae46d2d8b6ac100e690d763b1172406e9e3db0f6f3070fa66af43de449b4a1e4c34b2e3329c878138b2078c22facb940ade27372d17354f35dabf406ec7925dba4e60c49139fa99e6f4386eb245c3be5827dd6fea4988bdb11bb684da4d5584a87b7a479cded665de87f8b479fb81430f3bb6443e54051f477465343e1e3c77bb590ee6d87ce5b7f39bf417e047f7acc3ac7aff5e389b317bf0ef79c87f37fe951c06bc431afb450c69be8761b90fca5b46d936a521b728320f6073a9811334581ca977b7f75f7c5b02db5091edd220b77060273 + Namespace: cert-manager + Secret: system-local-ca + Renewal: Manual + Secret Type: kubernetes.io/tls \ No newline at end of file diff --git a/doc/source/security/openstack/install-a-trusted-ca-certificate.rst b/doc/source/security/openstack/install-a-trusted-ca-certificate.rst index 3f43b7e3e..97904cf72 100644 --- a/doc/source/security/openstack/install-a-trusted-ca-certificate.rst +++ b/doc/source/security/openstack/install-a-trusted-ca-certificate.rst @@ -21,7 +21,7 @@ service REST API endpoints. .. code-block:: none - ~(keystone_admin)$ system certificate-install -m openstack_ca + ~(keystone_admin)$ system os-certificate-install -m ca certificate_file> where ```` contains a single |CA| certificate to be trusted. diff --git a/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst b/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst index c6a05438a..c78edc44c 100644 --- a/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst +++ b/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst @@ -66,9 +66,9 @@ Horizon endpoints by configuring a certificate for these endpoints. .. code-block:: none - ~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem - ~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem - ~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem + ~(keystone_admin)$ system ca-certificate-install openstack-ca-cert.pem + ~(keystone_admin)$ system os-certificate-install -m ca openstack-ca-cert.pem + ~(keystone_admin)$ system os-certificate-install -m server openstack-cert-key.pem #. Apply the Helm chart overrides containing the certificate changes.