starlingx/docs
Code Issues Proposed changes

Merge "Add info to indicate that only certificates with RSA keys are supported"

Browse Source
This commit is contained in:
Zuul 2024-11-13 16:01:49 +00:00 committed by Gerrit Code Review
commit ad736f1964
6 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
doc/source/_includes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest Normal file
View File

3
doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst
View File

@ -476,4 +476,7 @@ Platform Issuer (system-local-ca)
subclouds, but the leaf certificates can still be configured with the subclouds, but the leaf certificates can still be configured with the
override ``system_platform_certificate`` in separate ways. override ``system_platform_certificate`` in separate ways.
The data provided through ``system_local_ca_key`` has to contain a RSA
private key, in unencrypted |PEM| format.
.. include:: /_myincludes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest .. include:: /_myincludes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest

8
doc/source/dist_cloud/kubernetes/upgrading-the-systemcontroller-using-the-cli.rst
View File

@ -105,6 +105,14 @@ Follow the steps below to manually upgrade the system controller:
Where ``<release-id>`` is ``starlingx-24.09.0`` for above software upload Where ``<release-id>`` is ``starlingx-24.09.0`` for above software upload
example, or it can be found out by running :command:`software list`. example, or it can be found out by running :command:`software list`.
The platform issuer (system-local-ca) is required to have an RSA
certificate/private key pair before upgrading. If ``system-local-ca`` was
configured with a different type of certificate/private key, the upgrade
pre check will fail with an informative message. In this case, the
:ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d` procedure
needs to be executed to reconfigure ``system-local-ca`` with the RSA
certificate/private key targeting the ``SystemController`` and all subclouds.
By default, the upgrade process cannot run and is not recommended to run By default, the upgrade process cannot run and is not recommended to run
with active alarms present. It is strongly recommended that you clear your with active alarms present. It is strongly recommended that you clear your
system of all alarms before doing an upgrade. system of all alarms before doing an upgrade.

9
doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst
View File

@ -98,7 +98,7 @@ playbook are:
using, on how to create an Intermediate |CA| public certificate and using, on how to create an Intermediate |CA| public certificate and
private key pair. private key pair.
The 'system_local_ca_cert' override must provide either: The ``system_local_ca_cert`` override must provide either:
- A single certificate, directly signed by the Root |CA|; or - A single certificate, directly signed by the Root |CA|; or
@ -109,11 +109,16 @@ playbook are:
be included in this bundle. be included in this bundle.
The ``system_local_ca_key`` override must provide only the private The ``system_local_ca_key`` override must provide only the private
key for ``system-local-ca``. Only RSA and |ECDSA| keys are supported. key for ``system-local-ca``. Only RSA is supported for the key, which
must be provided in unencrypted |PEM| format.
The duration of the Intermediate |CA| public certificate should be at The duration of the Intermediate |CA| public certificate should be at
least 3 years. See *ica_duration* to modify this semantic check. least 3 years. See *ica_duration* to modify this semantic check.
.. only:: partner
.. include:: /_includes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rest
.. warning:: .. warning::
The private key for ``system-local-ca`` should be handled carefully, The private key for ``system-local-ca`` should be handled carefully,

6
doc/source/updates/kubernetes/manual-host-software-deployment-ee17ec6f71a4.rst
View File

@ -58,6 +58,12 @@ standard configuration.
- The system should be patch current, that is, all the available patch - The system should be patch current, that is, all the available patch
releases for the current major release should be deployed. releases for the current major release should be deployed.
- The platform issuer (system-local-ca) must be configured with an RSA
certificate/private key. If ``system-local-ca`` was configured with a
different type of certificate/private key, use the
:ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d` procedure
to reconfigure it with the RSA certificate/private key.
.. rubric:: |proc| .. rubric:: |proc|
#. For a duplex (dual controller) system, switch the activity from #. For a duplex (dual controller) system, switch the activity from

6
doc/source/updates/kubernetes/orchestrated-deployment-host-software-deployment-d234754c7d20.rst
View File

@ -139,6 +139,12 @@ to control and monitor their progress manually.
| <new-release-id> | True | available | | <new-release-id> | True | available |
+--------------------------+-------+-----------+ +--------------------------+-------+-----------+
- For a major release deployment, the platform issuer (system-local-ca) must be
configured beforehand with an RSA certificate/private key. If ``system-local-ca``
was configured with a different type of certificate/private key, use the
:ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d` procedure
to reconfigure it with RSA certificate/private key.
.. rubric:: |proc| .. rubric:: |proc|
#. Create a software deployment orchestration strategy for a specified software #. Create a software deployment orchestration strategy for a specified software