starlingx/docs
Code Issues Proposed changes
47040fa69b
docs/doc/source/security/kubernetes/system-local-ca-issuer-9196c5794834.rst
Elisamara Aoki Goncalves c1939ea198 system-local-ca update 
Update documentation regarding system-local-ca.
Fix conflict.

Story: 2009811
Task: 50152

Change-Id: I0ae5f4eaee4f4612a570ed88fa81df2bf18bb2a1
Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
2024-09-19 13:18:03 +00:00

8.1 KiB
Raw Blame History

System Local CA Issuer

At installation time, a ClusterIssuer named system-local-ca is created, intended to be the single root of trust for Platform Certificates, such that external clients, using Platform APIs, need only add a single Root public certificate in their list of trusted for the purpose of validating Platform server certificates.

The Intermediate cert and key are customizable during installation using bootstrap overrides, see ansible_bootstrap_configs_r7. If the overrides are not provided, the issuer will be set to use the Kubernetes Root . The data is stored in a K8s secret in namespace cert-manager, named system-local-ca.

In a Distributed Cloud System, by default, the subclouds are deployed with the same cert and key in system-local-ca issuer as the SystemController.

This ClusterIssuer, during bootstrap, will automatically issue:

  • Local OpenLDAP certificate (in DC SystemController or Standalone controller).
  • REST API & Web Server certificate.
  • Docker Registry certificate.

The Root public certificate of system-local-ca can be retrieve with the following command trough the CLI:

$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode

You can also create other server certificates using this issuer and use it in you applications. These certificates will be renewed automatically by cert-manager. A snippet of how this can be included in a Kubernetes resource file (to be applied afterwards), for reference:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
    name: <cert-name>
    namespace: <cert-namespace>
spec:
    secretName: <secret-name (where the cert will be stored) >
    dnsNames:
    - ...
    ipAddresses:
    - ...
    issuerRef:
        name: system-local-ca
        kind: ClusterIssuer

Note

In order to change or renew the system-local-ca Secret for signing, the update_platform_certificates.yml playbook MUST BE USED, see migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d. This playbook will update the system-local-ca Secret and Issuer, re-sign all of the Platform Certificates using this issuer, and in a Distributed Cloud environment iterate through all of the Subclouds and do the same updates and re-signing on each Subcloud.