starlingx/docs
Code Issues Proposed changes

Cleanup of 'system' certificate CLI/RestAPI

Browse Source 
Remove deprecated CLIs.

Story: 2010848
Task: 50153

Change-Id: Ia5e160d6bf80a3ae80b5cbf6a6a6a0c3365bd8b3
Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
This commit is contained in:
Elisamara Aoki Goncalves 2024-06-20 13:32:11 +00:00
parent 684643bf49
commit 7286dd31c1
8 changed files with 181 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/source/dist_cloud/kubernetes/shared-configurations.rst
View File

@ -32,7 +32,7 @@ for resources of the Keystone Identity Service (see :ref:`Table 2
+-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| **sysadmin** Password | The **sysadmin** password may take up to 10 minutes to sync with the controller. The **sysadmin** password is not modified via the :command:`system` command. It is modified using the regular Linux :command:`passwd` command. | | **sysadmin** Password | The **sysadmin** password may take up to 10 minutes to sync with the controller. The **sysadmin** password is not modified via the :command:`system` command. It is modified using the regular Linux :command:`passwd` command. |
+-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Certificates | Subclouds use the Trusted |CA| certificates installed on the System Controller using the :command:`system certificate-install -m ssl_ca` command. | | Certificates | Subclouds use the Trusted CA certificates installed on the System Controller using the system ca-certificate-install command. |
+-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +-----------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

28
doc/source/security/kubernetes/add-a-trusted-ca.rst
View File

@ -61,7 +61,7 @@ and the file may contain one or more |CA| certificates.
.. _add-a-trusted-ca-section-N10047-N1001C-N10001: .. _add-a-trusted-ca-section-N10047-N1001C-N10001:
------------------------------------------- -------------------------------------------
System CLI Trusted CA certificate install System CLI Trusted CA Certificate Install
------------------------------------------- -------------------------------------------
After installation, adding a trusted |CA| to the |prod| system may be required. After installation, adding a trusted |CA| to the |prod| system may be required.
@ -74,11 +74,11 @@ including multiple |CA| certificates in the specified |PEM| file.
The certificate must be in |PEM| file format. The certificate must be in |PEM| file format.
From the command line, run the :command:`certificate-install` command. From the command line, run the :command:`ca-certificate-install` command.
.. code-block:: none .. code-block:: none
~(keystone_admin)]$ system certificate-install -m ssl_ca <trusted-ca-bundle-pem-file> ~(keystone_admin)]$ system ca-certificate-install <trusted-ca-bundle-pem-file>
where ``<trusted-ca-bundle-pem-file>`` contains 1 or more public certificates where ``<trusted-ca-bundle-pem-file>`` contains 1 or more public certificates
of |CAs| that should be trusted by |prod|. of |CAs| that should be trusted by |prod|.
@ -110,15 +110,14 @@ For example:
.. note:: .. note::
Installing a new ``ssl_ca`` with ``system certificate-install -m ssl_ca`` Installing a new ``ssl_ca with system ca-certificate-install`` or deleting
or deleting an old ``ssl_ca`` with ``system certificate-uninstall`` must be an old ``ssl_ca with system ca-certificate-uninstall`` must be followed by
followed by locking and unlocking all controller nodes for the change to locking and unlocking all controller nodes for the change to take effect.
take effect.
.. _add-a-trusted-ca-section-phr-jw4-3mb: .. _add-a-trusted-ca-section-phr-jw4-3mb:
--------------------------------------------- ---------------------------------------------
System CLI Trusted CA certificate uninstall System CLI Trusted CA Certificate Uninstall
--------------------------------------------- ---------------------------------------------
To remove a Trusted |CA| Certificate, first list the trusted |CAs| by To remove a Trusted |CA| Certificate, first list the trusted |CAs| by
@ -126,7 +125,7 @@ running the following command:
.. code-block:: none .. code-block:: none
~(keystone_admin)]$ system certificate-list ~(keystone_admin)]$ system ca-certificate-list
where, all entries with certtype = ssl_ca are trusted |CA| certificates. where, all entries with certtype = ssl_ca are trusted |CA| certificates.
@ -135,19 +134,18 @@ running the following command:
.. code-block:: none .. code-block:: none
~(keystone_admin)]$ system certificate-uninstall -m ssl_ca <UUID> ~(keystone_admin)]$ system ca-certificate-uninstall <UUID>
where, <UUID> is the UUID of the ssl_ca certtype to be removed. where, <UUID> is the UUID of the ssl_ca certtype to be removed.
.. note:: .. note::
Installing a new ``ssl_ca`` with ``system certificate-install -m ssl_ca`` Installing a new ``ssl_ca with system ca-certificate-install`` or deleting
or deleting an old ``ssl_ca`` with ``system certificate-uninstall`` must be an old ``ssl_ca with system ca-certificate-uninstall`` must be followed by
followed by locking and unlocking all controller nodes for the change to locking and unlocking all controller nodes for the change to take effect.
take effect.
------------------------------------ ------------------------------------
Update/Renew trusted CA certificates Update/Renew Trusted CA Certificates
------------------------------------ ------------------------------------
.. warning:: .. warning::

4
doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst
View File

@ -91,12 +91,12 @@ Update the following fields:
See the example below where a Root |CA| ``system-local-ca`` was used to sign See the example below where a Root |CA| ``system-local-ca`` was used to sign
the ``system-registry-local-certificate``, the ``ca.crt`` of the the ``system-registry-local-certificate``, the ``ca.crt`` of the
``system-local-ca`` SECRET is extracted and added as a trusted |CA| for ``system-local-ca`` SECRET is extracted and added as a trusted |CA| for
|prod| (i.e. ``system certificate-install -m ssl_ca``). |prod| (i.e. ``system ca-certificate-install``).
.. code-block:: none .. code-block:: none
~(keystone_admin)]$ kubectl -n cert-manager get secret system-local-ca -o yaml | fgrep tls.crt | awk '{print $2}' | base64 --decode >> system-local-ca.pem ~(keystone_admin)]$ kubectl -n cert-manager get secret system-local-ca -o yaml | fgrep tls.crt | awk '{print $2}' | base64 --decode >> system-local-ca.pem
~(keystone_admin)]$ system certificate-install -m ssl_ca system-local-ca.pem ~(keystone_admin)]$ system ca-certificate-install system-local-ca.pem
.. rubric:: |result| .. rubric:: |result|

13
doc/source/security/kubernetes/configure-oidc-auth-applications.rst
View File

@ -50,12 +50,13 @@ Configure OIDC Auth Applications
will be used to issue this certificate. will be used to issue this certificate.
.. note:: .. note::
If a signing |CA| is not a well-known trusted |CA|, you must ensure the
system trusts the |CA| by specifying it either during the bootstrap If a signing |CA| is not a well-known trusted |CA|, you must ensure
phase of system installation, by specifying ``ssl_ca_cert: <certificate_file>`` the system trusts the |CA| by specifying it either during the
in the ansible bootstrap overrides localhost.yml file, or by using the bootstrap phase of system installation, by specifying ``ssl_ca_cert:
:command:`system certificate-install -m ssl_ca <certificate_file>` <certificate_file>`` in the ansible bootstrap overrides
command. ``localhost.yml`` file, or by using the
:command:`system ca-certificate-install <certificate_file>` command.
Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>` Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>`
for installing a root |CA|, which includes instruction to `lock/unlock` for installing a root |CA|, which includes instruction to `lock/unlock`

2
doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst
View File

@ -54,7 +54,7 @@ The command to add |WAD| |CA| certificate:
.. code-block:: none .. code-block:: none
system certificate-install --mode ssl_ca <AD CA certificate file> system ca-certificate-install <AD CA certificate file>
--------------------- ---------------------
Add Remote WAD Domain Add Remote WAD Domain

154
doc/source/security/kubernetes/utility-script-to-display-certificates.rst
View File

@ -63,7 +63,7 @@ For example:
Issue Date : Jul 6 16:15:30 2023 GMT Issue Date : Jul 6 16:15:30 2023 GMT
Expiry Date : Oct 4 16:15:30 2023 GMT Expiry Date : Oct 4 16:15:30 2023 GMT
Residual Time : 89d Residual Time : 89d
… etc … etc
@ -91,10 +91,162 @@ For example,
Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d Automatic [Managed by Cert-Manager] dc-cert subcloud100-adminep-ca-certificate 364d
--------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------
The command ``system certificate-list`` can be used to list the platform
certificates present on the |prod| system with details such as expiry date,
residual time, subject, issuer and renewal behaviour (manual or automatic).
The :command:`system certificate-list` command has the following options:
- ``system certificate-list --expired`` lists the expired certificates.
- ``system certificate-list --soon_to_expiry <N>`` lists the certificates
expiring in given <N> days.
For example:
.. code-block:: none
[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-list
+------------------------------------------------------------+
admin_conf_client
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 03 09:26:57 2024
Expiry Date : June 07 12:17:19 2025
Issuer : CN=starlingx
Subject : CN=kubernetes-admin,O=system:masters
Renewal : Automatic
File Path : /etc/kubernetes/admin.conf
+------------------------------------------------------------+
apiserver
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 03 09:26:57 2024
Expiry Date : June 07 12:17:17 2025
Issuer : CN=starlingx
Subject : CN=kube-apiserver
Renewal : Automatic
File Path : /etc/kubernetes/pki/apiserver.crt
+------------------------------------------------------------+
..etc
The command ``system k8s-certificate-list`` can be used to list all k8s
tls/opaque type certificates present on the |prod| system with details such as
expiry date, residual time, subject, issuer and renewal behaviour (manual or
automatic).
The :command:`system k8s-certificate-list` command has the following options:
- ``system k8s-certificate-list --expired`` lists the expired certificates.
- ``system k8s-certificate-list --soon_to_expiry <N>`` lists the certificates
expiring in given <N> days.
For example:
.. code-block:: none
[sysadmin@controller-0 ~(keystone_admin)]$ system k8s-certificate-list
+------------------------------------------------------------+
cm-cert-manager-webhook-ca/ca.crt
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 07 12:22:41 2024
Expiry Date : June 07 12:22:41 2025
Issuer : CN=cert-manager-webhook-ca
Subject : CN=cert-manager-webhook-ca
Namespace : cert-manager
Secret : cm-cert-manager-webhook-ca
Renewal : Automatic
Secret Type : Opaque
+------------------------------------------------------------+
cm-cert-manager-webhook-ca/tls.crt
+------------------------------------------------------------+
Residual Time : 359d
Issue Date : June 07 12:22:41 2024
Expiry Date : June 07 12:22:41 2025
Issuer : CN=cert-manager-webhook-ca
Subject : CN=cert-manager-webhook-ca
Namespace : cert-manager
Secret : cm-cert-manager-webhook-ca
Renewal : Automatic
Secret Type : Opaque
+------------------------------------------------------------+
..etc
The command ``system certificate-show <certificate name>`` shows the full
details of the certificate, the certificate name can be picked from ``system
certificate-list`` output.
For example:
.. code-block:: none
[sysadmin@controller-0 ~(keystone_admin)]$ system certificate-show system-restapi-gui-certificate
Certificate:
Residual Time: 84d
Version: v3
Serial Number: 0xf6de1076c4f523ae530b39730c61a769
Issuer: CN=starlingx
Validity:
Not Before: June 07 12:25:25 2024
Not After: September 05 12:25:25 2024
Subject: CN=system-restapi-gui,O=starlingx,L=78269f12243d4b19b1bf5687e2359c5a
Subject Public Key Info:
key_size: (2048 bit)
X509v3 extensions:
X509v3 Key Usage:
values: Digital Signature, Key Encipherment
critical: True
X509v3 Basic Constraints:
CA: False
critical: True
X509v3 Authority Key Identifier:
keyid: a783e3e1c720c9b5dc2537b07f90a49b0ecdf744
X509v3 Subject Alternative Name:
DNS: ['78269f12243d4b19b1bf5687e2359c5a.starlingx.local']
IP Address: ['10.10.10.12']
Signature Algorithm: sha256WithRSAEncryption
Signature: 02ac2fe1e454ff0116fff400f24bb1845872b84d44ff47a40e3989d2085e0e306c903a1290f8f3bddf2cb320d5387ce64e4b50d8b3269ab70d6dbb760ecbd566f0fbf644c24f258cce4e0f1987e3636fe88a00ce99b416b47a372b28424367ceef9b04d52b279be2305070c6a92c848de6f50dd046876475c1604fdf630e72f47aba051b30983cf046b69f7c7ddb5fe396cf41955d40bc263640e2d85bba5a10602a7962c69397e30a3ebf6080df6aea2fa4ce380aa413ed89b96f3b3f3d54ee8ddaa477f5d41fd3d2f55231ebc35e76ae9f65db39e24fa07d0c2d7b4f5588daa8da92ff3fd03a240a7e7a70e31d619a1a659c709ed293451e111a316703264cf80a023acb0aa7790828c1508cf88aabf2c02b097d5f7afb077a7759b85a204bfc672c33bcbc07b6a16fc6f756721de043917e7a9de6ca38f99d421232a3302f03b762c3a9847d0a2aa25af47b39b2eca469c5f309a99931234551b7c29f9e119215970e30bb55ad4263f4745751fb927fb98c3c463a2f403686c90a6cac6db2f681e3e5c6951f43da1db8b7b2d9121a3bd49429ddbb72740a1f1a108e62e8add857f344d60cadfc47abf1343f166d33d7083331913538d2881dbd9216763427722e9db4f10cc9952fc5d2f0998e4453925d9b84f3c2394c825eeb1bb8c63948bb2bb8c27165f81f585a4d023d139a8413c235dd8d4cd8cae418f9764c66ad0e
File Path: /etc/ssl/private/server-cert.pem
Renewal: Automatic
Namespace: deployment
Secret: system-restapi-gui-certificate
The command ``system k8s-certificate-show <certficate name>`` shows the full
details of the k8s certificate, the certificate name can be picked from ``system
k8s-certificate-list`` output.
For example:
.. code-block:: none
[sysadmin@controller-0 ~(keystone_admin)]$ system k8s-certificate-show system-local-ca
Certificate:
Residual Time: 3640d
Version: v3
Serial Number: 0x3cb901b2b670bf0996d2c4f52c6d809e061d03d4
Issuer: CN=starlingx
Validity:
Not Before: June 03 09:26:57 2024
Not After: June 01 09:26:57 2034
Subject: CN=starlingx
Subject Public Key Info:
key_size: (4096 bit)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS: ['starlingx']
X509v3 Key Usage:
values: Digital Signature, Key Encipherment
X509v3 Basic Constraints:
CA: True
critical: True
Signature Algorithm: sha256WithRSAEncryption
Signature: af88723bb84c1f5b9ebe62e257564990be3b379e156e1c45203cbf10c05c09e03325b2f59c752a61a3289f32b2dbcc580bba16e13bc02137ff18b27c1f6e7ccc2a9e7243dcfaf7ea16ae0764fd30f915d95b428248be5bdcc4a9a8972d538ce2314e29339759b06f739ef06941af54450fc830aef5be9dd214962959aefc6b6dc22dba2ce2f87b5c763817c9d33bcf2c189e59fc7abad455aef3ad18525d9f8f47938b8d47056bcb513d414fe2f7713b6b8ee37e8999ea48c2529043ec7871fa079d7374b894a5410090c5fe8ad3e08b7b3649cac550b9ce732ec0e0739ac3de4c1eca8d83d3c44bf30841a1a469d5bfba5743f5f1d5260e73057027d4c5ad97a955d8a55f72733c941a30402f92454be97725acabba199a92a723a44aa1f32c86e274944641b5665f4d09ecae46d2d8b6ac100e690d763b1172406e9e3db0f6f3070fa66af43de449b4a1e4c34b2e3329c878138b2078c22facb940ade27372d17354f35dabf406ec7925dba4e60c49139fa99e6f4386eb245c3be5827dd6fea4988bdb11bb684da4d5584a87b7a479cded665de87f8b479fb81430f3bb6443e54051f477465343e1e3c77bb590ee6d87ce5b7f39bf417e047f7acc3ac7aff5e389b317bf0ef79c87f37fe951c06bc431afb450c69be8761b90fca5b46d936a521b728320f6073a9811334581ca977b7f75f7c5b02db5091edd220b77060273
Namespace: cert-manager
Secret: system-local-ca
Renewal: Manual
Secret Type: kubernetes.io/tls

2
doc/source/security/openstack/install-a-trusted-ca-certificate.rst
View File

@ -21,7 +21,7 @@ service REST API endpoints.
.. code-block:: none .. code-block:: none
~(keystone_admin)$ system certificate-install -m openstack_ca <certificate_file> ~(keystone_admin)$ system os-certificate-install -m ca certificate_file>
where ``<certificate_file>`` contains a single |CA| certificate to be trusted. where ``<certificate_file>`` contains a single |CA| certificate to be trusted.

6
doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
View File

@ -66,9 +66,9 @@ Horizon endpoints by configuring a certificate for these endpoints.
.. code-block:: none .. code-block:: none
~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem ~(keystone_admin)$ system ca-certificate-install openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem ~(keystone_admin)$ system os-certificate-install -m ca openstack-ca-cert.pem
~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem ~(keystone_admin)$ system os-certificate-install -m server openstack-cert-key.pem
#. Apply the Helm chart overrides containing the certificate changes. #. Apply the Helm chart overrides containing the certificate changes.