starlingx/docs
Code Issues Proposed changes
2ac452053c
docs/doc/source/security/kubernetes/https-access-overview.rst

132 lines
20 KiB
ReStructuredText
Raw Normal View History

Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com>
2020-08-31 11:01:56 -04:00
.. ddq1552672412979
.. _https-access-overview:
Updates on Certificate Management (pick) Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca
2021-10-21 16:20:15 -03:00
==========================================
HTTPS and Certificates Management Overview
==========================================
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
Certificates are required for secure HTTPS access and authentication on |prod|
platform.
This table lists all the platform certificates, and indicates which
certificates are automatically created/renewed by the system versus which
certificates must be manually created/renewed by the system administrator.
Platform certificates that are associated with optional platform components are
only present if the optional platform component is configured (e.g. |OIDC|).\
Platform certificates that are associated with Distributed Cloud are only
present on |DC| SystemController systems or |DC| Subclouds.
Updates on Certificate Management (pick) Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca
2021-10-21 16:20:15 -03:00
.. table::
:widths: auto
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| Certificate | Auto Created | Renewal Status |
+===========================================================+=============================================================================+========================================================================================================+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| **Etcd:** |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| etcd Root CA certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| etcd server certificate | Yes | auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| etcd client certificate | Yes | auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| kube-apiserver's etcd client certificate | Yes | auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| **Kubernetes:** |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
| Kubernetes Root CA Certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years; MUST be renewed via CLI. |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| Cluster Admin client certificate used by kubectl | Yes | auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| kube-controller-manager client certificate | Yes | auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| kube-scheduler client certificate | Yes | auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| kube-apiserver server certificate | Yes | auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| kube-apiserver's kubelet client certificate | Yes | auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| kubelet client certificate | Yes | auto-renewed by kubelet. Feature enabled by default |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
Front-proxy-client and front-proxy-ca certificates are not documented (r8,dsR8) Add front-proxy-client and front-proxy-ca certificates to the list. Closes-bug: 2019959 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: Ie940da7352e80322c9d462c7cc219ceec879597d
2023-05-16 16:28:58 -03:00
| front-proxy-client | Yes | front-proxy-client: auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| front-proxy-ca | Yes | front-proxy-ca: NOT AUTO-RENEWED; Default expiry is set at 10 years |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| **system-local-ca** | Yes | NOT AUTO-RENEWED. MUST be renewed via CLI |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| **OpenLDAP Server Certificate** | Yes | auto-renewed by system |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| **StarlingX REST API & HORIZON Server Certificate** | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
| | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| **Local Registry Server Certificate** | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
| | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| **OIDC:** |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| OIDC Client and Dex Server Server Certificate | No | auto-renewed if configured with cert-manager; |
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| | | NOT AUTO-RENEWED if configured with an externally generated certificate. MUST be renewed via CLI. |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| OIDC Client and Dex Server CA certificate | No | NOT AUTO-RENEWED. MUST be renewed via CLI. |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| OIDC Remote WAD CA Certificate | No | NOT AUTO-RENEWED. MUST be renewed via CLI. |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| **Vault:** |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| Vault Server Certificate | Yes | NOT AUTO-RENEWED; MUST be renewed via CLI. |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| Vault Root CA certificate | Yes | NOT AUTO-RENEWED; MUST be renewed via CLI. |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| **Portieris:** |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| Portieris Server Certificate | Yes | Auto renewed by cert-manager; BUT CUSTOMER MUST restart Portieris after the certificate is renewed |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| Portieris remote registry and notary server CA Certificate| No | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| **DC Admin Endpoints:** |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| Root CA DC Admin Endpoint CA Certificate | Yes | auto-renewed |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| Intermediate CA DC Admin Endpoint CA Certificate | Yes | auto-renewed |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| DC Admin Endpoint Server Certificate | Yes | auto-renewed |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
| **System trusted CA Certificates** | No | NOT AUTO-RENEWED as these are certificates that are not necessarily owned by the platform |
Cert-Manager Use for StarlingX Platform Services Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
2021-11-09 10:48:34 -05:00
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
Updates on Certificate Management (pick) Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca
2021-10-21 16:20:15 -03:00
Where:
- Auto created: the certificate is generated during system deployment or
triggered by certain operations.
- Renewal Status: whether the certificate is renewed automatically by the system
when expiry date approaches.
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
The specific certificates, and details such as expiration date, that are
present on a |prod| system can be displayed with a local script, :command:`sudo
show-certs.sh`, see :ref:`utility-script-to-display-certificates`.
Certificates expiration date information Reword and minor update. Minor updates. Added extra information about the Alarms link. Added a note with references regarding how to obtain Certificates expiration data-period information. Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com> Change-Id: Ic152d5a57effb89534ce269ca0c6a2a8b7f5b5f2
2022-06-22 15:22:37 -03:00
HTTPS cert updates General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
2023-07-14 11:31:15 +00:00
|prod| monitors the installed certificates on the system by raising alarms for
expired certificates and certificates that will expire soon, see
:ref:`alarm-expiring-soon-and-expired-certificates-baf5b8f73009`.
Added RSA Key length (dsr8) Modified the note to include <the certificate file> Removed trailing spaces and fixed Patchset 7 comments Updated Patchset 6 comments and removed the word platform Fixed formatting issues Updated Patchset 4 comments Added additional notes in multiple topics listed in the review Updated the Security / Upgrade Guide with a note Change-Id: If0a88e88268b2a4540b6abf97bc7b5ca9049747c Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com> Change-Id: I5686cda10f4ac9b184f5ac1e6ceec003b09155d2
2023-06-19 20:14:20 +00:00
Updated Limitation and Workaround for using IPv6 addresses in Cert management (r8, dsr8) Updated formatting issues Included inputs from Gerrit rview https://review.opendev.org/c/starlingx/docs/+/847215; https://review.opendev.org/c/starlingx/docs/+/888578 Updated Patchset 1 comments and added the limitation in Created Include file to add the Limitation Change-Id: I59aabd2bc67c4f2820b75ece7f6a0557729adc9e Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
2023-08-17 22:25:35 +00:00
The following sections provide details on managing these certificates.
- :ref:`StarlingX REST API Applications and the Web Administration Server Certificate <starlingx-rest-api-applications-and-the-web-administration-server>`
- :ref:`Kubernetes Certificates <kubernetes-certificates-f4196d7cae9c>`
- :ref:`Local Registry Server Certificates <security-install-update-the-docker-registry-certificate>`
- :ref:`System Trusted CA Certificates <add-a-trusted-ca>`
For further information about certificates expiration date or other certificates
information, see :ref:`Display Certificates Installed on a System <utility-script-to-display-certificates>`.
In addition, |prod| monitors the installed certificates on the system by raising
alarms for expire-soon certificates and for expired certificates on the system,
see :ref:`Expiring-Soon and Expired Certificate Alarms
<alarm-expiring-soon-and-expired-certificates-baf5b8f73009>`.
Copy Permalink