starlingx/docs
Code Issues Proposed changes

system-local-ca update

Browse Source 
Update documentation regarding system-local-ca.
Fix conflict.

Story: 2009811
Task: 50152

Change-Id: I0ae5f4eaee4f4612a570ed88fa81df2bf18bb2a1
Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
This commit is contained in:
Elisamara Aoki Goncalves 2024-09-11 17:14:23 +00:00
parent 2a778be3cb
commit c1939ea198
6 changed files with 55 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/source/_vendor/rl-strings.txt
View File

@ -296,7 +296,7 @@
.. |remote-windows-active-directory-accounts| replace:: :ref:`Remote Windows Active Directory Accounts <remote-windows-active-directory-accounts>`
.. |cert-manager-post-installation-setup| replace:: :ref:`Cert-Manager Post Installation Setup <cert-manager-post-installation-setup>`
.. |configure-remote-cli-access| replace:: :ref:`Configure Remote CLI Access <configure-remote-cli-access>`
.. |starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834| replace:: :ref:`System Local CA Issuer <starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834>`
.. |system-local-ca-issuer-9196c5794834| replace:: :ref:`System Local CA Issuer <system-local-ca-issuer-9196c5794834>`
.. |install-security-profiles-operator-1b2f9a0f0108| replace:: :ref:`Install Security Profiles Operator (SPO) <install-security-profiles-operator-1b2f9a0f0108>`
.. |operator-login-authentication-logging| replace:: :ref:`Operator Login/Authentication Logging <operator-login-authentication-logging>`
.. |configure-the-keystone-token-expiration-time| replace:: :ref:`Configure the Keystone Token Expiration Time <configure-the-keystone-token-expiration-time>`

2
doc/source/security/kubernetes/configure-oidc-auth-applications.rst
View File

@ -46,7 +46,7 @@ Configure OIDC Auth Applications
Certificates used by ``oidc-auth-apps`` can be managed by Cert-Manager.
Doing so will automatically renew the certificates before they expire.
The ``system-local-ca`` ClusterIssuer (see
:ref:`starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834`)
:ref:`system-local-ca-issuer-9196c5794834`)
will be used to issue this certificate.
.. note::

2
doc/source/security/kubernetes/https-access-overview.rst
View File

@ -63,7 +63,7 @@ present on |DC| SystemController systems or |DC| Subclouds.
| system-local-ca | The |CA| certificate used to create Cert-Manager ClusterIssuer for signing a variety of StarlingX server certificates. | Yes | NOT AUTO-RENEWED. MUST be renewed via CLI |
| | For Laboratory environment, K8s Root CA Certificate is used by default. For product environment, the |CA| certificate should be set | | |
| | to an Intermediate |CA| Cert/Key that has been signed by an external public Root |CA| at bootstrap through overrides or through the proper update procedure. | | |
| | For information on ``system-local-ca``, see :ref:`starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834`. | | |
| | For information on ``system-local-ca``, see :ref:`system-local-ca-issuer-9196c5794834`. | | |
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| system-openldap-local-certificate | Certificate used by OpenLDAP server to identify itself over HTTPS. It is typically signed by **system-local-ca**. Services such as | Yes | auto-renewed by system |
| | |SSH|/|SSSD| that access OpenLDAP verify this serving certificate with **system-local-ca**. | | |

2
doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
View File

@ -101,7 +101,7 @@ HTTPS Certificate Management
utility-script-to-display-certificates
etcd-certificates-c1fc943e4a9c
kubernetes-certificates-f4196d7cae9c
starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834
system-local-ca-issuer-9196c5794834
local-ldap-certificates-4e1df1e39341
configure-rest-api-apps-and-web-admin-server-certs-after-inst-6816457ab95f
configure-docker-registry-certificate-after-installation-c519edbfe90a

2
doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-administration-server-deprecated.rst
View File

@ -8,7 +8,7 @@ StarlingX REST API Applications and the Web Administration Server Certificate
.. note::
This procedure is deprecated. For up-to-date information, refer to:
:ref:`starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834`.
:ref:`system-local-ca-issuer-9196c5794834`.
By default, |prod| provides HTTP access to REST API application endpoints
\(Keystone, Barbican and |prod|) and the web administration server. For

64
doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst → doc/source/security/kubernetes/system-local-ca-issuer-9196c5794834.rst
View File

@ -1,25 +1,61 @@
.. _starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834:
.. _system-local-ca-issuer-9196c5794834:
======================
System Local CA Issuer
======================
At installation time, a ``system-local-ca`` ClusterIssuer is created. The
intent is that the ``system-local-ca`` can be the single root of trust for
Platform Certificates, such that external clients, using Platform APIs, need
only add the single ``system-local-ca`` public certificate to their list of
trusted |CAs| for the purpose of validating Platform server certificates.
At installation time, a ClusterIssuer named ``system-local-ca`` is created,
intended to be the single root of trust for Platform Certificates, such that
external clients, using Platform APIs, need only add a single Root |CA| public
certificate in their list of trusted |CAs| for the purpose of validating Platform
server certificates.
At installation time, the ``cert-manager/system-local-ca`` TLS Secret, which is
used for CA Signing by the ``system-local-ca`` ClusterIssuer, is initially set
to the Kubernetes Root CA. At installation time, the Kubernetes Root |CA| is
either auto-generated or explicitly set thru bootstrap playbook overrides (see
:ref:`kubernetes-root-ca-certificate`).
The Intermediate |CA| |TLS| cert and key are customizable during installation
using bootstrap overrides, see :ref:`ansible_bootstrap_configs_r7`. If the
overrides are not provided, the issuer will be set to use the Kubernetes Root
|CA|. The data is stored in a K8s |TLS| secret in namespace ``cert-manager``,
named ``system-local-ca``.
In a Distributed Cloud System, by default, the Subclouds are deployed with the
same Kubernetes Root |CA| and the same ``system-local-ca`` as the
SystemController.
In a Distributed Cloud System, by default, the subclouds are deployed with the
same |TLS| cert and key in ``system-local-ca`` issuer as the SystemController.
This ClusterIssuer, during bootstrap, will automatically issue:
- Local OpenLDAP certificate (in DC SystemController or Standalone controller).
- REST API & Web Server certificate.
- Docker Registry certificate.
The Root |CA| public certificate of ``system-local-ca`` can be retrieve with the
following command trough the CLI:
.. code-block:: none
$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode
You can also create other server certificates using this issuer and use it in
you applications. These certificates will be renewed automatically by
cert-manager. A snippet of how this can be included in a Kubernetes resource
file (to be applied afterwards), for reference:
.. code-block:: none
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: <cert-name>
namespace: <cert-namespace>
spec:
secretName: <secret-name (where the cert will be stored) >
dnsNames:
- ...
ipAddresses:
- ...
issuerRef:
name: system-local-ca
kind: ClusterIssuer
.. note::