From d492b8711bd4e31de5184389c6498e9661dad084 Mon Sep 17 00:00:00 2001 From: Ngairangbam Mili Date: Fri, 1 Sep 2023 08:02:40 +0000 Subject: [PATCH] Update certificate information for clarity with show-certs.sh output (r8, ds8) Change-Id: Ie38f65aaa86abbd6b22a5fee38281aa417556cd5 Signed-off-by: Ngairangbam Mili --- .../kubernetes/https-access-overview.rst | 173 ++++++++++-------- 1 file changed, 98 insertions(+), 75 deletions(-) diff --git a/doc/source/security/kubernetes/https-access-overview.rst b/doc/source/security/kubernetes/https-access-overview.rst index 1310117d7..8372bfe71 100644 --- a/doc/source/security/kubernetes/https-access-overview.rst +++ b/doc/source/security/kubernetes/https-access-overview.rst @@ -14,7 +14,7 @@ certificates are automatically created/renewed by the system versus which certificates must be manually created/renewed by the system administrator. Platform certificates that are associated with optional platform components are -only present if the optional platform component is configured (e.g. |OIDC|).\ +only present if the optional platform component is configured (e.g. |OIDC|). Platform certificates that are associated with Distributed Cloud are only present on |DC| SystemController systems or |DC| Subclouds. @@ -22,80 +22,103 @@ present on |DC| SystemController systems or |DC| Subclouds. .. table:: :widths: auto - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | Certificate | Auto Created | Renewal Status | - +===========================================================+=============================================================================+========================================================================================================+ - | **Etcd:** | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | etcd Root CA certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | etcd server certificate | Yes | auto-renewed by cron job | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | etcd client certificate | Yes | auto-renewed by cron job | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | kube-apiserver's etcd client certificate | Yes | auto-renewed by cron job | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | **Kubernetes:** | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | Kubernetes Root CA Certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years; MUST be renewed via CLI. | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | Cluster Admin client certificate used by kubectl | Yes | auto-renewed by cron job | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | kube-controller-manager client certificate | Yes | auto-renewed by cron job | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | kube-scheduler client certificate | Yes | auto-renewed by cron job | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | kube-apiserver server certificate | Yes | auto-renewed by cron job | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | kube-apiserver's kubelet client certificate | Yes | auto-renewed by cron job | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | kubelet client certificate | Yes | auto-renewed by kubelet. Feature enabled by default | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | front-proxy-client | Yes | front-proxy-client: auto-renewed by cron job | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | front-proxy-ca | Yes | front-proxy-ca: NOT AUTO-RENEWED; Default expiry is set at 10 years | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | **system-local-ca** | Yes | NOT AUTO-RENEWED. MUST be renewed via CLI | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | **OpenLDAP Server Certificate** | Yes | auto-renewed by system | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | **StarlingX REST API & HORIZON Server Certificate** | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; | - | | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | **Local Registry Server Certificate** | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; | - | | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | **OIDC:** | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | OIDC Client and Dex Server Server Certificate | No | auto-renewed if configured with cert-manager; | - | | | NOT AUTO-RENEWED if configured with an externally generated certificate. MUST be renewed via CLI. | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | OIDC Client and Dex Server CA certificate | No | NOT AUTO-RENEWED. MUST be renewed via CLI. | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | OIDC Remote WAD CA Certificate | No | NOT AUTO-RENEWED. MUST be renewed via CLI. | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | **Vault:** | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | Vault Server Certificate | Yes | NOT AUTO-RENEWED; MUST be renewed via CLI. | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | Vault Root CA certificate | Yes | NOT AUTO-RENEWED; MUST be renewed via CLI. | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | **Portieris:** | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | Portieris Server Certificate | Yes | Auto renewed by cert-manager; BUT CUSTOMER MUST restart Portieris after the certificate is renewed | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | Portieris remote registry and notary server CA Certificate| No | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | **DC Admin Endpoints:** | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | Root CA DC Admin Endpoint CA Certificate | Yes | auto-renewed | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | Intermediate CA DC Admin Endpoint CA Certificate | Yes | auto-renewed | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | DC Admin Endpoint Server Certificate | Yes | auto-renewed | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ - | **System trusted CA Certificates** | No | NOT AUTO-RENEWED as these are certificates that are not necessarily owned by the platform | - +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | Certificate | Description | Auto Created | Renewal Status | + +=====================================================================+==================================================================================================================+=================================================+==============================================================================+==========================================================================================================+ + | **Etcd:** | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | etcd Root CA certificate | Certificate that signs etcd server and client certificates, and kube-apiserver etcd client certificates | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | etcd server certificate | Certificate used by etcd server to identify itself over HTTPS. Services such as kube-apiserver that access | Yes | auto-renewed by cron job | + | | etcd verify this serving certificate with etcd Root |CA| certificate. | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | etcd client certificate | Certificate used by clients to identify themselves while connecting to etcd by HTTPS | Yes | auto-renewed by cron job | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | kube-apiserver-etcd-client certificate | Certificate used by kube-apiserver to identify itself while connecting to etcd by HTTPS | Yes | auto-renewed by cron job | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | **Kubernetes:** | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | Kubernetes-root-ca | Kubernetes root |CA| certificate used to sign all other K8s server and client certificates | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years; MUST be renewed via CLI. | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | Cluster Admin client certificate used by kubectl | Client certificate used to access kubernetes-admin credentials for kubernetes API | Yes | auto-renewed by cron job | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | kube-controller-manager client certificate | Client certificate used by kube-controller-manager pod to identify itself to kube-apiserver | Yes | auto-renewed by cron job | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | kube-scheduler client certificate | Client certificate used by kube-scheduler pod to identify itself to kube-apiserver | Yes | auto-renewed by cron job | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | kube-apiserver certificate | Certificate used by kube-apiserver to identify itself over HTTPS. Clients connecting to kube-apiserver | Yes | auto-renewed by cron job | + | | verify this certificate using kubernetes root CA certificate. | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | kube-apiserver-kubelet client certificate | Kube-apiserver's client certificate used for communication with kubelet | Yes | auto-renewed by cron job | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | kubelet client certificate | Client certificate used by kubelet to identify itself while connecting to kube-apiserver | Yes | auto-renewed by kubelet. Feature enabled by default | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | front-proxy-client | Client certificate signed by front-proxy root |CA| certificate. It is used by kube-apiserver/aggregator | Yes | front-proxy-client: auto-renewed by cron job | + | | to connect to aggregated apiserver (extension APIserver). | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | front-proxy-ca | The front-proxy Root |CA| certificate | Yes | front-proxy-ca: NOT AUTO-RENEWED; Default expiry is set at 10 years | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | |prod| | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | system-local-ca | The |CA| certificate used to create Cert-Manager ClusterIssuer for signing a variety of |prod| server certificates | Yes | NOT AUTO-RENEWED. MUST be renewed via CLI | + | | For Laboratory environment, K8s Root CA Certificate is used by default. For product environment, the CA certificate should | | | + | | be set to an Intermediate CA Cert/Key that has been signed by an external public Root CA. For information on how to | | | + | | update system-local.ca, see :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`. | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | system-openldap-local-certificate | Certificate used by OpenLDAP server to identify itself over HTTPS. It is typically signed by **system-local-ca**. Services such as | Yes | auto-renewed by system | + | | |SSH|/|SSSD| that access OpenLDAP verify this serving certificate with **system-local-ca**. | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | ssl(restapi/gui)/system-restapi-gui-certificate | Certificate used by |prod| RESTAPI endpoints and GUI (Horizon) to identify themselves | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; | + | | over HTTPS. It is typically signed by **system-local-ca**. Services such as external RESTAPI clients or | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI | + | | external browsers that access |prod| RESTAPI endpoints and/or |prod| GUI (Horizon) verify | | | + | | this serving certificate with **system-local-ca**. | | | + | | | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | docker_registry/system-registry-local-certificate | Certificate used by Docker distribution server (registry.local ) to identify itself over HTTPS. | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; | + | | | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI | + | | It is typically signed by **system-local-ca**. Services such as internal and/or external clients of registry | | | + | | that access registry.local verify this serving certificate with **system-local-ca**. | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | **OIDC:** | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | OIDC Client and Dex Server Certificate/oidc-auth-apps-certificate | Certificate used by both the |OIDC| client server and the DEX |OIDC| server to identify themselves over HTTPS. | No | auto-renewed if configured with cert-manager; | + | | | | NOT AUTO-RENEWED if configured with an externally generated certificate. MUST be renewed via CLI. | + | | It is typically signed by **system-local-ca**. Services such as external clients that access |OIDC| client server/DEX |OIDC| server | | | + | | verify this serving certificate with **system-local-ca**. | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | OIDC Client and Dex Server CA certificate | The |CA| certificate that signs the |OIDC| client server certificate and the DEX |OIDC| server certificate. In the recommended | No | NOT AUTO-RENEWED. MUST be renewed via CLI. | + | | configurations, the |CA| certificate is **system-local-ca**. | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | OIDC Remote WAD CA Certificate | The |CA| certificate that signs the remote Windows Active Directory configured in the ``oidc-auth-apps`` application. The DEX server | No | NOT AUTO-RENEWED. MUST be renewed via CLI. | + | | uses this |CA| certificate to validate the remote Windows Active Directory's server certificate. | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | **Vault:** | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | Vault Server Certificate | Certificate used by Vault server to identify itself over HTTPS. It is typically signed by **system-local-ca**. Vault RESTAPIs or applications | Yes | NOT AUTO-RENEWED; MUST be renewed via CLI. | + | | using Vault verify this serving certificate with **system-local-ca**. | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | Vault Root CA certificate | The |CA| certificate that signs the Vault Server certificate. In the recommended configurations, the |CA| certificate is **system-local-ca**. | Yes | NOT AUTO-RENEWED; MUST be renewed via CLI. | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | **Portieris:** | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | Portieris Server Certificate | Certificate used by Portieris Admission-Control server to identify itself over HTTPS. It is typically signed by **system-local-ca**. | Yes | Auto renewed by cert-manager; BUT CUSTOMER MUST restart Portieris after the certificate is renewed | + | | The Portieris kubernetes admission webhook, which makes request to Portieris Admission-Control server | | | + | | verifies this serving certificate with **system-local-ca**. | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | Portieris remote registry and notary server CA Certificate | The |CA| certificate that signs the Portieris Admission Control server certificate. | No | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs | + | | In the recommended configurations, the |CA| certificate is **system-local-ca**. | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | **DC Admin Endpoints:** | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | DC-AdminEp-RootCA | The |CA| certificate that signs the dc-adminep-certificate. On SystemController, it is called dc-adminep-root-ca-certificate. | Yes | auto-renewed | + | | On subcloud, it is called sc-adminep-root-ca-certificate. | | | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | DC-AdminEp-InterCA | Signed by adminep-rootCA. On SystemController, it is called dc-adminep-inter-ca-certificate. On subcloud, it is called sc-adminep-inter-ca-certificate. | Yes | auto-renewed | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | DC-AdminEp-Server | On SystemController, it is called dc-adminep-certificate. On subcloud, it is called sc-adminep-certificate signed by interCA. | Yes | auto-renewed | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ + | **System trusted CA Certificates/ssl_ca** | The |CA| certificate that issues the SSL certificates | No | NOT AUTO-RENEWED as these are certificates that are not necessarily owned by the platform | + +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+ Where: