starlingx/docs
Code Issues Proposed changes

Bootstrap overrides

Browse Source 
Update documentation regarding bootstrap overrides.
Include new sub-section for Platform Issuer (system-local-ca) overrides in Ansible Bootstrap Configurations doc.

Story: 2009811
Task: 50152

Change-Id: I765d9c8c4bc1a9b031ce1d69283265119819895a
Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
This commit is contained in:
Elisamara Aoki Goncalves 2024-09-11 14:25:43 +00:00
parent be030bcdad
commit f13c680bc5
5 changed files with 69 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst
View File

@ -440,4 +440,41 @@ configuration file.
.. note::
Default authentication via service account tokens is always supported,
even when OpenID Connect authentication is configured.
even when OpenID Connect authentication is configured.
.. _ansible_bootstrap_configs_platform_issuer:
---------------------------------
Platform Issuer (system-local-ca)
---------------------------------
.. code-block:: none
'system_local_ca_cert': # the certificate encoded in a single-line base64 string (via base64 -w0).
'system_local_ca_key': # the key encoded in a single-line base64 string (via base64 -w0).
'system_root_ca_cert': # the certificate encoded in a single-line base64 string (via base64 -w0).
'ica_duration': # optional override for changing the minimum expected expiration time for the ICA provided in years (default is 3).
'rca_duration': # optional override for changing the minimum expected expiration time for the RCA provided in years (default is 3).
'system_platform_certificate': # Dictionary containing data for customize the platform certificates (DNS, expiration, SANs). Supported fields:
dns_domain # e.g. <lab domain name>.<domain>.com
duration # Amount of time from emission to expiration date - e.g. '2160h'
renewBefore # Amount of time to renew the certificate before expiration date - e.g. '360h'
# 'subject_' fields override common Relative Distinguished Names (RDNs) to be included in the certs.
subject_C # Country
subject_ST # State or Province
subject_L # Location
subject_O # Organization
subject_OU # Organizational Unit
subject_CN # CommonName
.. note::
The ``system-local-ca`` |TLS| certs and key are shared between
SystemController and subclouds in DC systems. Considering this, the
overrides for the |RCA|/|ICA| certs and key are not applicable to
subclouds, but the leaf certificates can still be configured with the
override ``system_platform_certificate`` in separate ways.
For more info about the overrides, look into the inventory parameters described
in :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`.

12
doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst
View File

@ -454,9 +454,15 @@ Bootstrap system on controller-0
- 1.2.3.4
Refer to :ref:`Ansible Bootstrap Configurations <ansible_bootstrap_configs_r7>`
for information on additional Ansible bootstrap configurations for advanced
Ansible bootstrap scenarios.
Configure ``system_local_ca_cert``, ``system_local_ca_key`` and
``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an
external Root |CA|) for managing / signing all of the |prod|
Certificates. See :ref:`ansible_bootstrap_configs_platform_issuer` for
more details.
Refer to :ref:`ansible_bootstrap_configs_r7` for information on
additional Ansible bootstrap configurations for advanced Ansible
bootstrap scenarios.
#. Run the Ansible bootstrap playbook:

11
doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst
View File

@ -428,10 +428,15 @@ Bootstrap system on controller-0
docker_no_proxy:
- 1.2.3.4
Configure ``system_local_ca_cert``, ``system_local_ca_key`` and
``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an
external Root |CA|) for managing / signing all of the |prod|
Certificates. See :ref:`ansible_bootstrap_configs_platform_issuer` for
more details.
Refer to :ref:`Ansible Bootstrap Configurations
<ansible_bootstrap_configs_r7>` for information on additional Ansible
bootstrap configurations for advanced Ansible bootstrap scenarios.
Refer to :ref:`ansible_bootstrap_configs_r7` for information on
additional Ansible bootstrap configurations for advanced Ansible
bootstrap scenarios.
#. Run the Ansible bootstrap playbook:

12
doc/source/deploy_install_guides/release/bare_metal/rook_storage_install_kubernetes.rst
View File

@ -158,10 +158,14 @@ Bootstrap system on controller-0
EOF
Refer to :ref:`Ansible Bootstrap Configurations
<ansible_bootstrap_configs_r7>` for information on additional Ansible
bootstrap configurations for advanced Ansible bootstrap scenarios, such as
Docker proxies when deploying behind a firewall, etc. Refer to
Configure ``system_local_ca_cert``, ``system_local_ca_key`` and
``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an
external Root |CA|) for managing / signing all of the |prod| Certificates.
See :ref:`ansible_bootstrap_configs_platform_issuer` for more details.
Refer to :ref:`ansible_bootstrap_configs_r7` for information on additional
Ansible bootstrap configurations for advanced Ansible bootstrap scenarios,
such as Docker proxies when deploying behind a firewall, etc. Refer to
|docker_proxy_config| for details about Docker proxy settings.
#. Run the Ansible bootstrap playbook:

6
doc/source/shared/_includes/incl-bootstrap-sys-controller-0-standard.rest
View File

@ -163,6 +163,12 @@
docker_no_proxy:
- 1.2.3.4
Configure ``system_local_ca_cert``, ``system_local_ca_key`` and
``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an
external Root |CA|) for managing / signing all of the |prod|
Certificates. See :ref:`ansible_bootstrap_configs_platform_issuer` for
more details.
Refer to :ref:`Ansible Bootstrap Configurations
<ansible_bootstrap_configs_r7>` for information on additional
Ansible bootstrap configurations for advanced Ansible bootstrap