Updated Limitation and Workaround for using IPv6 addresses in Cert management (r8, dsr8)

Updated formatting issues Included inputs from Gerrit rview https://review.opendev.org/c/starlingx/docs/+/847215; https://review.opendev.org/c/starlingx/docs/+/888578 Updated Patchset 1 comments and added the limitation in Created Include file to add the Limitation Change-Id: I59aabd2bc67c4f2820b75ece7f6a0557729adc9e Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
2023-08-17 22:25:35 +00:00
parent edcc747523
commit 2ac452053c
5 changed files with 65 additions and 2 deletions
--- a/doc/source/_includes/cert-mgmt-ipv6-address-limitation-1a4504370674.rest
+++ b/doc/source/_includes/cert-mgmt-ipv6-address-limitation-1a4504370674.rest
@@ -0,0 +1,43 @@
+---------------------------------------------------------------------------
+Limitations for using IPv6 addresses related to management and OAM networks
+---------------------------------------------------------------------------
+
+Cert-manager accepts only short-hand IPv6 addresses. 
+
+**Workaround**: You must use the following rules when defining IPv6 addresses
+to be used by Cert-manager. 
+
+-  all letters must be in lower case
+
+-  each group of hexadecimal values must not have any leading 0s
+   (use :12: instead of :0012:)
+
+-  the longest sequence of consecutive all-zero fields must be short-handed
+   with ``::``
+    
+-  ``::`` must not be used to short-hand an IPv6 address with 7 groups of hexadecimal
+    values, use :0: instead of ``::``
+
+.. note::
+
+    Use the rules above to set the IPv6 address related to the management
+    and |OAM| network in the Ansible bootstrap overrides file, localhost.yml.
+
+.. code-block:: none
+
+    apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+        name: oidc-auth-apps-certificate
+        namespace: test
+    spec:
+        secretName: oidc-auth-apps-certificate
+        dnsNames:
+        - ahost.com
+        ipAddresses:
+        - fe80:12:903a:1c1a:e802::11e4
+        issuerRef:
+            name: cloudplatform-interca-issuer
+            kind: Issuer
+
+
--- a/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst
+++ b/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst
@@ -103,3 +103,5 @@ Update the following fields:

 The Docker registry certificate installation is now complete, and Cert-Manager
 will handle the lifecycle management of the certificate.
+
+.. include:: /_includes/cert-mgmt-ipv6-address-limitation-1a4504370674.rest
--- a/doc/source/security/kubernetes/configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f.rst
+++ b/doc/source/security/kubernetes/configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f.rst
@@ -102,3 +102,5 @@ Update the following fields:

 The REST and Web Server certificate installation is now complete, and
 Cert-Manager will handle the lifecycle management of the certificate.
+
+.. include:: /_includes/cert-mgmt-ipv6-address-limitation-1a4504370674.rest
--- a/doc/source/security/kubernetes/https-access-overview.rst
+++ b/doc/source/security/kubernetes/https-access-overview.rst
@@ -113,5 +113,20 @@ show-certs.sh`, see :ref:`utility-script-to-display-certificates`.
 expired certificates and certificates that will expire soon, see
 :ref:`alarm-expiring-soon-and-expired-certificates-baf5b8f73009`. 

-The following sections also provide details on creating and/or renewing the
-|prod| platform certificates.
+The following sections provide details on managing these certificates.
+
+-   :ref:`StarlingX REST API Applications and the Web Administration Server Certificate <starlingx-rest-api-applications-and-the-web-administration-server>`
+
+-   :ref:`Kubernetes Certificates <kubernetes-certificates-f4196d7cae9c>`
+
+-   :ref:`Local Registry Server Certificates <security-install-update-the-docker-registry-certificate>`
+
+-   :ref:`System Trusted CA Certificates <add-a-trusted-ca>`
+
+For further information about certificates expiration date or other certificates
+information, see :ref:`Display Certificates Installed on a System <utility-script-to-display-certificates>`.
+
+In addition, |prod| monitors the installed certificates on the system by raising
+alarms for expire-soon certificates and for expired certificates on the system,
+see :ref:`Expiring-Soon and Expired Certificate Alarms
+<alarm-expiring-soon-and-expired-certificates-baf5b8f73009>`.
--- a/doc/source/usertasks/kubernetes/kubernetes-user-tutorials-cert-manager.rst
+++ b/doc/source/usertasks/kubernetes/kubernetes-user-tutorials-cert-manager.rst
@@ -158,3 +158,4 @@ service externally.  There are typically two options:
    <internal-ca-and-nodeport-example-2afa2a84603a>` section for an example of
    how to configure an application to use NodePort to expose its self-managed
    |TLS|-based service and to use an Internal |CA| for signing CERTIFICATEs.
+