From 1a3ebc83dca224e9b10eddac2ac7d218ebe6c1c3 Mon Sep 17 00:00:00 2001 From: Ron Stone Date: Wed, 1 Nov 2023 17:04:03 +0000 Subject: [PATCH] Recommended "renewBefore" value for a certificate (r8, r7, r5, r5, dsR8, dsR7, dsR6, dsR5) Add note as include Add include where renewBefore is mentioned Address patchset 1 review comments Closes-Bug: 2042545 Change-Id: Iad4f58fd2cd4743605089b453ededce1e720c8e9 Signed-off-by: Ron Stone --- ...ficate-after-installation-c519edbfe90a.rst | 2 ++ .../configure-oidc-auth-applications.rst | 2 ++ .../configure-remote-cli-access.rst | 19 +++++++++---------- ...y-using-cert-manager-on-the-controller.rst | 2 ++ ...cates-to-use-cert-manager-c0b1727e4e5d.rst | 7 +++++++ ...e-value-for-certificates-c929cf42b03b.rest | 15 +++++++++++++++ ...l-ca-and-nodeport-example-2afa2a84603a.rst | 2 ++ 7 files changed, 39 insertions(+), 10 deletions(-) create mode 100644 doc/source/shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest diff --git a/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst b/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst index fd1575c3b..a4baaa51a 100644 --- a/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst +++ b/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst @@ -31,6 +31,8 @@ Update the following fields: you desire. The system will automatically renew and re-install the certificate. + .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest + * The ``subject`` fields to identify your particular system. * The ``ipAddresses`` with the |OAM| Floating IP Address and the MGMT Floating diff --git a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst index 989daa02d..8f2fb3179 100644 --- a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst +++ b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst @@ -76,6 +76,8 @@ Configure OIDC Auth Applications EOF + .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest + #. Apply the configuration. .. code-block:: none diff --git a/doc/source/security/kubernetes/configure-remote-cli-access.rst b/doc/source/security/kubernetes/configure-remote-cli-access.rst index 293d29f66..59d6c697c 100644 --- a/doc/source/security/kubernetes/configure-remote-cli-access.rst +++ b/doc/source/security/kubernetes/configure-remote-cli-access.rst @@ -11,16 +11,15 @@ You can access the system from a remote workstation using one of two methods. .. _configure-remote-cli-access-ul-jt2-lcy-ljb: - -- The first method involves using the remote |CLI| tarball from the - |prod| CENGEN build servers to install a set of container-backed remote - CLIs and clients for accessing a remote |prod-long|. This provides - access to the :command:`system` and :command:`dcmanager` |prod| CLIs, - the OpenStack CLI for Keystone and Barbican in the platform, and - Kubernetes-related CLIs \(kubectl, helm\). This approach is simple to - install, portable across Linux, macOS, and Windows, and provides access - to all |prod-long| CLIs. However, commands such as those that reference - local files or require a shell are awkward to run in this environment. +- The first method involves using the remote |CLI| tarball from StarlingX + Public build servers to install a set of container-backed remote CLIs and + clients for accessing a remote |prod-long|. This provides access to the + :command:`system` and :command:`dcmanager` |prod| CLIs, the OpenStack CLI + for Keystone and Barbican in the platform, and Kubernetes-related CLIs + (kubectl, helm). This approach is simple to install, portable across Linux, + macOS, and Windows, and provides access to all |prod-long| CLIs. However, + commands such as those that reference local files or require a shell are + difficult to run in this environment. - The second method involves installing the :command:`kubectl` and :command:`helm` clients directly on the remote host. This method only diff --git a/doc/source/security/kubernetes/create-certificates-locally-using-cert-manager-on-the-controller.rst b/doc/source/security/kubernetes/create-certificates-locally-using-cert-manager-on-the-controller.rst index 9124775ee..09b5be825 100644 --- a/doc/source/security/kubernetes/create-certificates-locally-using-cert-manager-on-the-controller.rst +++ b/doc/source/security/kubernetes/create-certificates-locally-using-cert-manager-on-the-controller.rst @@ -91,6 +91,8 @@ for use in a lab environment. kind: Issuer " | kubectl apply -f - + .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest + #. Create the |PEM| files for Server certificate and key. .. code-block:: none diff --git a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst index fc5193248..e54a1eee0 100644 --- a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst +++ b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst @@ -175,8 +175,15 @@ controllers/subclouds. hosts: subcloud3: + .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest + + #. Run the playbook. + The following example illustrates using one set of ssh/sudo passwords for + subcloud1 and subcloud2 and another set of ssh/sudo passwords for + subcloud3. + Execute the Ansible playbook to start the migration process. You will be prompted for the vault password created in the previous step. diff --git a/doc/source/shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest b/doc/source/shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest new file mode 100644 index 000000000..ea1745c52 --- /dev/null +++ b/doc/source/shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest @@ -0,0 +1,15 @@ +.. _recommended-renewbefore-value-for-certificates-c929cf42b03b: + + +.. note:: + + The Certificate usage of Cert-manager Documentation + (https://cert-manager.io/docs/usage/certificate/) states that one should + "Take care when setting the ``renewBefore`` field to be very close to the + duration as this can lead to a renewal loop, where the Certificate is always + in the renewal period." + + In the light of the statement above, you must not set ``renewBefore`` to a + value very close to the "duration" value, such as a renewBefore of 29 days + and a duration of 30 days. Instead, you could set values such as + renewBefore=15 days and duration=30 days to avoid renewal loops. diff --git a/doc/source/usertasks/kubernetes/internal-ca-and-nodeport-example-2afa2a84603a.rst b/doc/source/usertasks/kubernetes/internal-ca-and-nodeport-example-2afa2a84603a.rst index dc0b1ca92..ee91c98b4 100644 --- a/doc/source/usertasks/kubernetes/internal-ca-and-nodeport-example-2afa2a84603a.rst +++ b/doc/source/usertasks/kubernetes/internal-ca-and-nodeport-example-2afa2a84603a.rst @@ -146,6 +146,8 @@ This example requires that: selector: app: example-app + .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest + #. If example-app existed, you would access it from your browser with ``https://abccompany-starlingx.mycompany.com:31118``.