Bootstrap overrides

Update documentation regarding bootstrap overrides. Include new sub-section for Platform Issuer (system-local-ca) overrides in Ansible Bootstrap Configurations doc. Story: 2009811 Task: 50152 Change-Id: I765d9c8c4bc1a9b031ce1d69283265119819895a Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
2024-09-11 14:25:43 +00:00 · 2024-09-11 14:25:43 +00:00 · f13c680bc5
commit f13c680bc5
parent be030bcdad
5 changed files with 69 additions and 11 deletions
--- a/doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst
+++ b/doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst
@ -441,3 +441,40 @@ configuration file.
   Default authentication via service account tokens is always supported,
   even when OpenID Connect authentication is configured.
 .. _ansible_bootstrap_configs_platform_issuer:
 ---------------------------------
 Platform Issuer (system-local-ca)
 ---------------------------------
 .. code-block:: none
    'system_local_ca_cert': # the certificate encoded in a single-line base64 string (via base64 -w0).
    'system_local_ca_key': # the key encoded in a single-line base64 string (via base64 -w0).
    'system_root_ca_cert': # the certificate encoded in a single-line base64 string (via base64 -w0).
    'ica_duration':  # optional override for changing the minimum expected expiration time for the ICA provided in years (default is 3).
    'rca_duration': # optional override for changing the minimum expected expiration time for the RCA provided in years (default is 3).
    'system_platform_certificate': # Dictionary containing data for customize the platform certificates (DNS, expiration, SANs). Supported fields:
      dns_domain             # e.g. <lab domain name>.<domain>.com
      duration               # Amount of time from emission to expiration date - e.g. '2160h'
      renewBefore            # Amount of time to renew the certificate before expiration date - e.g. '360h'
                             # 'subject_' fields override common Relative Distinguished Names (RDNs) to be included in the certs.
      subject_C              # Country
      subject_ST             # State or Province
      subject_L              # Location
      subject_O              # Organization
      subject_OU             # Organizational Unit
      subject_CN             # CommonName
 .. note::
    The ``system-local-ca`` |TLS| certs and key are shared between
    SystemController and subclouds in DC systems. Considering this, the
    overrides for the |RCA|/|ICA| certs and key are not applicable to
    subclouds, but the leaf certificates can still be configured with the
    override ``system_platform_certificate`` in separate ways.
 For more info about the overrides, look into the inventory parameters described
 in :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`.
--- a/doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst
+++ b/doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst
@ -454,9 +454,15 @@ Bootstrap system on controller-0
            - 1.2.3.4
-      Refer to :ref:`Ansible Bootstrap Configurations <ansible_bootstrap_configs_r7>`
+      Configure ``system_local_ca_cert``, ``system_local_ca_key`` and
-      for information on additional Ansible bootstrap configurations for advanced
+      ``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an
-      Ansible bootstrap scenarios.
+      external Root |CA|) for managing / signing all of the |prod|
      Certificates. See :ref:`ansible_bootstrap_configs_platform_issuer` for
      more details.
      Refer to :ref:`ansible_bootstrap_configs_r7` for information on
      additional Ansible bootstrap configurations for advanced Ansible
      bootstrap scenarios.
 #. Run the Ansible bootstrap playbook:
--- a/doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst
+++ b/doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst
@ -428,10 +428,15 @@ Bootstrap system on controller-0
         docker_no_proxy:
            - 1.2.3.4
      Configure ``system_local_ca_cert``, ``system_local_ca_key`` and
      ``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an
      external Root |CA|) for managing / signing all of the |prod|
      Certificates. See :ref:`ansible_bootstrap_configs_platform_issuer` for
      more details.
-      Refer to :ref:`Ansible Bootstrap Configurations
+      Refer to :ref:`ansible_bootstrap_configs_r7` for information on
-      <ansible_bootstrap_configs_r7>` for information on additional Ansible
+      additional Ansible bootstrap configurations for advanced Ansible
-      bootstrap configurations for advanced Ansible bootstrap scenarios.
+      bootstrap scenarios.
 #. Run the Ansible bootstrap playbook:
--- a/doc/source/deploy_install_guides/release/bare_metal/rook_storage_install_kubernetes.rst
+++ b/doc/source/deploy_install_guides/release/bare_metal/rook_storage_install_kubernetes.rst
@ -158,10 +158,14 @@ Bootstrap system on controller-0
        EOF
-   Refer to :ref:`Ansible Bootstrap Configurations
+   Configure ``system_local_ca_cert``, ``system_local_ca_key`` and
-   <ansible_bootstrap_configs_r7>` for information on additional Ansible
+   ``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an
-   bootstrap configurations for advanced Ansible bootstrap scenarios, such as
+   external Root |CA|) for managing / signing all of the |prod| Certificates.
-   Docker proxies when deploying behind a firewall, etc. Refer to
+   See :ref:`ansible_bootstrap_configs_platform_issuer` for more details.
   Refer to :ref:`ansible_bootstrap_configs_r7` for information on additional
   Ansible bootstrap configurations for advanced Ansible bootstrap scenarios,
   such as Docker proxies when deploying behind a firewall, etc. Refer to
   |docker_proxy_config| for details about Docker proxy settings.
 #. Run the Ansible bootstrap playbook:
--- a/doc/source/shared/_includes/incl-bootstrap-sys-controller-0-standard.rest
+++ b/doc/source/shared/_includes/incl-bootstrap-sys-controller-0-standard.rest
@ -163,6 +163,12 @@
         docker_no_proxy:
            - 1.2.3.4
      Configure ``system_local_ca_cert``, ``system_local_ca_key`` and
      ``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an
      external Root |CA|) for managing / signing all of the |prod|
      Certificates. See :ref:`ansible_bootstrap_configs_platform_issuer` for
      more details.
      Refer to :ref:`Ansible Bootstrap Configurations
      <ansible_bootstrap_configs_r7>` for information on additional
      Ansible bootstrap configurations for advanced Ansible bootstrap