From f13c680bc5b93b46df32e6cd4bbb87cc3db19492 Mon Sep 17 00:00:00 2001 From: Elisamara Aoki Goncalves Date: Wed, 11 Sep 2024 14:25:43 +0000 Subject: [PATCH] Bootstrap overrides Update documentation regarding bootstrap overrides. Include new sub-section for Platform Issuer (system-local-ca) overrides in Ansible Bootstrap Configurations doc. Story: 2009811 Task: 50152 Change-Id: I765d9c8c4bc1a9b031ce1d69283265119819895a Signed-off-by: Elisamara Aoki Goncalves --- .../release/ansible_bootstrap_configs.rst | 39 ++++++++++++++++++- .../aio_duplex_install_kubernetes.rst | 12 ++++-- .../aio_simplex_install_kubernetes.rst | 11 ++++-- .../rook_storage_install_kubernetes.rst | 12 ++++-- ...l-bootstrap-sys-controller-0-standard.rest | 6 +++ 5 files changed, 69 insertions(+), 11 deletions(-) diff --git a/doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst b/doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst index 848d88335..b6717ac34 100644 --- a/doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst +++ b/doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst @@ -440,4 +440,41 @@ configuration file. .. note:: Default authentication via service account tokens is always supported, - even when OpenID Connect authentication is configured. \ No newline at end of file + even when OpenID Connect authentication is configured. + + +.. _ansible_bootstrap_configs_platform_issuer: + +--------------------------------- +Platform Issuer (system-local-ca) +--------------------------------- + +.. code-block:: none + + 'system_local_ca_cert': # the certificate encoded in a single-line base64 string (via base64 -w0). + 'system_local_ca_key': # the key encoded in a single-line base64 string (via base64 -w0). + 'system_root_ca_cert': # the certificate encoded in a single-line base64 string (via base64 -w0). + 'ica_duration': # optional override for changing the minimum expected expiration time for the ICA provided in years (default is 3). + 'rca_duration': # optional override for changing the minimum expected expiration time for the RCA provided in years (default is 3). + 'system_platform_certificate': # Dictionary containing data for customize the platform certificates (DNS, expiration, SANs). Supported fields: + dns_domain # e.g. ..com + duration # Amount of time from emission to expiration date - e.g. '2160h' + renewBefore # Amount of time to renew the certificate before expiration date - e.g. '360h' + # 'subject_' fields override common Relative Distinguished Names (RDNs) to be included in the certs. + subject_C # Country + subject_ST # State or Province + subject_L # Location + subject_O # Organization + subject_OU # Organizational Unit + subject_CN # CommonName + +.. note:: + + The ``system-local-ca`` |TLS| certs and key are shared between + SystemController and subclouds in DC systems. Considering this, the + overrides for the |RCA|/|ICA| certs and key are not applicable to + subclouds, but the leaf certificates can still be configured with the + override ``system_platform_certificate`` in separate ways. + +For more info about the overrides, look into the inventory parameters described +in :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`. \ No newline at end of file diff --git a/doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst b/doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst index 51f1a334e..a2c15d248 100644 --- a/doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst @@ -454,9 +454,15 @@ Bootstrap system on controller-0 - 1.2.3.4 - Refer to :ref:`Ansible Bootstrap Configurations ` - for information on additional Ansible bootstrap configurations for advanced - Ansible bootstrap scenarios. + Configure ``system_local_ca_cert``, ``system_local_ca_key`` and + ``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an + external Root |CA|) for managing / signing all of the |prod| + Certificates. See :ref:`ansible_bootstrap_configs_platform_issuer` for + more details. + + Refer to :ref:`ansible_bootstrap_configs_r7` for information on + additional Ansible bootstrap configurations for advanced Ansible + bootstrap scenarios. #. Run the Ansible bootstrap playbook: diff --git a/doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst b/doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst index 23aca3959..bb99bdf42 100644 --- a/doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst @@ -428,10 +428,15 @@ Bootstrap system on controller-0 docker_no_proxy: - 1.2.3.4 + Configure ``system_local_ca_cert``, ``system_local_ca_key`` and + ``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an + external Root |CA|) for managing / signing all of the |prod| + Certificates. See :ref:`ansible_bootstrap_configs_platform_issuer` for + more details. - Refer to :ref:`Ansible Bootstrap Configurations - ` for information on additional Ansible - bootstrap configurations for advanced Ansible bootstrap scenarios. + Refer to :ref:`ansible_bootstrap_configs_r7` for information on + additional Ansible bootstrap configurations for advanced Ansible + bootstrap scenarios. #. Run the Ansible bootstrap playbook: diff --git a/doc/source/deploy_install_guides/release/bare_metal/rook_storage_install_kubernetes.rst b/doc/source/deploy_install_guides/release/bare_metal/rook_storage_install_kubernetes.rst index aa2e73925..6539bb414 100644 --- a/doc/source/deploy_install_guides/release/bare_metal/rook_storage_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/release/bare_metal/rook_storage_install_kubernetes.rst @@ -158,10 +158,14 @@ Bootstrap system on controller-0 EOF - Refer to :ref:`Ansible Bootstrap Configurations - ` for information on additional Ansible - bootstrap configurations for advanced Ansible bootstrap scenarios, such as - Docker proxies when deploying behind a firewall, etc. Refer to + Configure ``system_local_ca_cert``, ``system_local_ca_key`` and + ``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an + external Root |CA|) for managing / signing all of the |prod| Certificates. + See :ref:`ansible_bootstrap_configs_platform_issuer` for more details. + + Refer to :ref:`ansible_bootstrap_configs_r7` for information on additional + Ansible bootstrap configurations for advanced Ansible bootstrap scenarios, + such as Docker proxies when deploying behind a firewall, etc. Refer to |docker_proxy_config| for details about Docker proxy settings. #. Run the Ansible bootstrap playbook: diff --git a/doc/source/shared/_includes/incl-bootstrap-sys-controller-0-standard.rest b/doc/source/shared/_includes/incl-bootstrap-sys-controller-0-standard.rest index 3da459297..5b737a203 100644 --- a/doc/source/shared/_includes/incl-bootstrap-sys-controller-0-standard.rest +++ b/doc/source/shared/_includes/incl-bootstrap-sys-controller-0-standard.rest @@ -163,6 +163,12 @@ docker_no_proxy: - 1.2.3.4 + Configure ``system_local_ca_cert``, ``system_local_ca_key`` and + ``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an + external Root |CA|) for managing / signing all of the |prod| + Certificates. See :ref:`ansible_bootstrap_configs_platform_issuer` for + more details. + Refer to :ref:`Ansible Bootstrap Configurations ` for information on additional Ansible bootstrap configurations for advanced Ansible bootstrap