Merge "Add info to indicate that only certificates with RSA keys are supported"

2024-11-13 16:01:49 +00:00 · 2024-11-13 16:01:49 +00:00 · ad736f1964
commit ad736f1964
parent a19f2fe257 3150cbaf6f
6 changed files with 30 additions and 2 deletions
--- a/doc/source/_includes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest
+++ b/doc/source/_includes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest
--- a/doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst
+++ b/doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst
@ -476,4 +476,7 @@ Platform Issuer (system-local-ca)
    subclouds, but the leaf certificates can still be configured with the
    override ``system_platform_certificate`` in separate ways.

+    The data provided through ``system_local_ca_key`` has to contain a RSA
+    private key, in unencrypted |PEM| format.
+
 .. include:: /_myincludes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest
--- a/doc/source/dist_cloud/kubernetes/upgrading-the-systemcontroller-using-the-cli.rst
+++ b/doc/source/dist_cloud/kubernetes/upgrading-the-systemcontroller-using-the-cli.rst
@ -105,6 +105,14 @@ Follow the steps below to manually upgrade the system controller:
    Where ``<release-id>`` is ``starlingx-24.09.0`` for above software upload
    example, or it can be found out by running :command:`software list`.

+    The platform issuer (system-local-ca) is required to have an RSA
+    certificate/private key pair before upgrading. If ``system-local-ca`` was
+    configured with a different type of certificate/private key, the upgrade
+    pre check will fail with an informative message. In this case, the
+    :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d` procedure
+    needs to be executed to reconfigure ``system-local-ca`` with the RSA
+    certificate/private key targeting the ``SystemController`` and all subclouds.
+
    By default, the upgrade process cannot run and is not recommended to run
    with active alarms present. It is strongly recommended that you clear your
    system of all alarms before doing an upgrade.
--- a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst
+++ b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst
@ -98,7 +98,7 @@ playbook are:
        using, on how to create an Intermediate |CA| public certificate and
        private key pair.

-        The 'system_local_ca_cert' override must provide either:
+        The ``system_local_ca_cert`` override must provide either:

        - A single certificate, directly signed by the Root |CA|; or

@ -109,11 +109,16 @@ playbook are:
          be included in this bundle.

        The ``system_local_ca_key`` override must provide only the private
-        key for ``system-local-ca``. Only RSA and |ECDSA| keys are supported.
+        key for ``system-local-ca``. Only RSA is supported for the key, which
+        must be provided in unencrypted |PEM| format.

        The duration of the Intermediate |CA| public certificate should be at
        least 3 years. See *ica_duration* to modify this semantic check.

+        .. only:: partner
+
+           .. include:: /_includes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest
+
        .. warning::

            The private key for ``system-local-ca`` should be handled carefully,
--- a/doc/source/updates/kubernetes/manual-host-software-deployment-ee17ec6f71a4.rst
+++ b/doc/source/updates/kubernetes/manual-host-software-deployment-ee17ec6f71a4.rst
@ -58,6 +58,12 @@ standard configuration.
  - The system should be patch current, that is, all the available patch
    releases for the current major release should be deployed.

+-   The platform issuer (system-local-ca) must be configured with an RSA
+    certificate/private key. If ``system-local-ca`` was configured with a
+    different type of certificate/private key, use the 
+    :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d` procedure
+    to reconfigure it with the RSA certificate/private key.
+
 .. rubric:: |proc|

 #. For a duplex (dual controller) system, switch the activity from
--- a/doc/source/updates/kubernetes/orchestrated-deployment-host-software-deployment-d234754c7d20.rst
+++ b/doc/source/updates/kubernetes/orchestrated-deployment-host-software-deployment-d234754c7d20.rst
@ -139,6 +139,12 @@ to control and monitor their progress manually.
        | <new-release-id>         | True  | available |
        +--------------------------+-------+-----------+

+- For a major release deployment, the platform issuer (system-local-ca) must be
+  configured beforehand with an RSA certificate/private key. If ``system-local-ca``
+  was configured with a different type of certificate/private key, use the
+  :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d` procedure
+  to reconfigure it with RSA certificate/private key.
+
 .. rubric:: |proc|

 #. Create a software deployment orchestration strategy for a specified software