starlingx/docs
Code Issues Proposed changes

Merge "Update certificate information for clarity with show-certs.sh output (r8, ds8)"

Browse Source
This commit is contained in:
Zuul 2023-10-25 10:29:12 +00:00 committed by Gerrit Code Review
commit 3b4c0f675e
1 changed files with 98 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

173
doc/source/security/kubernetes/https-access-overview.rst
View File

@ -14,7 +14,7 @@ certificates are automatically created/renewed by the system versus which
certificates must be manually created/renewed by the system administrator. certificates must be manually created/renewed by the system administrator.
Platform certificates that are associated with optional platform components are Platform certificates that are associated with optional platform components are
only present if the optional platform component is configured (e.g. |OIDC|).\ only present if the optional platform component is configured (e.g. |OIDC|).
Platform certificates that are associated with Distributed Cloud are only Platform certificates that are associated with Distributed Cloud are only
present on |DC| SystemController systems or |DC| Subclouds. present on |DC| SystemController systems or |DC| Subclouds.
@ -22,80 +22,103 @@ present on |DC| SystemController systems or |DC| Subclouds.
.. table:: .. table::
:widths: auto :widths: auto
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| Certificate | Auto Created | Renewal Status | | Certificate | Description | Auto Created | Renewal Status |
+===========================================================+=============================================================================+========================================================================================================+ +=====================================================================+==================================================================================================================+=================================================+==============================================================================+==========================================================================================================+
| **Etcd:** | | **Etcd:** |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| etcd Root CA certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years | | etcd Root CA certificate | Certificate that signs etcd server and client certificates, and kube-apiserver etcd client certificates | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| etcd server certificate | Yes | auto-renewed by cron job | | etcd server certificate | Certificate used by etcd server to identify itself over HTTPS. Services such as kube-apiserver that access | Yes | auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | | etcd verify this serving certificate with etcd Root |CA| certificate. | | |
| etcd client certificate | Yes | auto-renewed by cron job | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | etcd client certificate | Certificate used by clients to identify themselves while connecting to etcd by HTTPS | Yes | auto-renewed by cron job |
| kube-apiserver's etcd client certificate | Yes | auto-renewed by cron job | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | kube-apiserver-etcd-client certificate | Certificate used by kube-apiserver to identify itself while connecting to etcd by HTTPS | Yes | auto-renewed by cron job |
| **Kubernetes:** | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | **Kubernetes:** |
| Kubernetes Root CA Certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years; MUST be renewed via CLI. | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | Kubernetes-root-ca | Kubernetes root |CA| certificate used to sign all other K8s server and client certificates | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years; MUST be renewed via CLI. |
| Cluster Admin client certificate used by kubectl | Yes | auto-renewed by cron job | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | Cluster Admin client certificate used by kubectl | Client certificate used to access kubernetes-admin credentials for kubernetes API | Yes | auto-renewed by cron job |
| kube-controller-manager client certificate | Yes | auto-renewed by cron job | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | kube-controller-manager client certificate | Client certificate used by kube-controller-manager pod to identify itself to kube-apiserver | Yes | auto-renewed by cron job |
| kube-scheduler client certificate | Yes | auto-renewed by cron job | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | kube-scheduler client certificate | Client certificate used by kube-scheduler pod to identify itself to kube-apiserver | Yes | auto-renewed by cron job |
| kube-apiserver server certificate | Yes | auto-renewed by cron job | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | kube-apiserver certificate | Certificate used by kube-apiserver to identify itself over HTTPS. Clients connecting to kube-apiserver | Yes | auto-renewed by cron job |
| kube-apiserver's kubelet client certificate | Yes | auto-renewed by cron job | | | verify this certificate using kubernetes root CA certificate. | | |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| kubelet client certificate | Yes | auto-renewed by kubelet. Feature enabled by default | | kube-apiserver-kubelet client certificate | Kube-apiserver's client certificate used for communication with kubelet | Yes | auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| front-proxy-client | Yes | front-proxy-client: auto-renewed by cron job | | kubelet client certificate | Client certificate used by kubelet to identify itself while connecting to kube-apiserver | Yes | auto-renewed by kubelet. Feature enabled by default |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| front-proxy-ca | Yes | front-proxy-ca: NOT AUTO-RENEWED; Default expiry is set at 10 years | | front-proxy-client | Client certificate signed by front-proxy root |CA| certificate. It is used by kube-apiserver/aggregator | Yes | front-proxy-client: auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | | to connect to aggregated apiserver (extension APIserver). | | |
| **system-local-ca** | Yes | NOT AUTO-RENEWED. MUST be renewed via CLI | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | front-proxy-ca | The front-proxy Root |CA| certificate | Yes | front-proxy-ca: NOT AUTO-RENEWED; Default expiry is set at 10 years |
| **OpenLDAP Server Certificate** | Yes | auto-renewed by system | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | |prod| |
| **StarlingX REST API & HORIZON Server Certificate** | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI | | system-local-ca | The |CA| certificate used to create Cert-Manager ClusterIssuer for signing a variety of |prod| server certificates | Yes | NOT AUTO-RENEWED. MUST be renewed via CLI |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | | For Laboratory environment, K8s Root CA Certificate is used by default. For product environment, the CA certificate should | | |
| **Local Registry Server Certificate** | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; | | | be set to an Intermediate CA Cert/Key that has been signed by an external public Root CA. For information on how to | | |
| | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI | | | update system-local.ca, see :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`. | | |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| **OIDC:** | | system-openldap-local-certificate | Certificate used by OpenLDAP server to identify itself over HTTPS. It is typically signed by **system-local-ca**. Services such as | Yes | auto-renewed by system |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | | |SSH|/|SSSD| that access OpenLDAP verify this serving certificate with **system-local-ca**. | | |
| OIDC Client and Dex Server Server Certificate | No | auto-renewed if configured with cert-manager; | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| | | NOT AUTO-RENEWED if configured with an externally generated certificate. MUST be renewed via CLI. | | ssl(restapi/gui)/system-restapi-gui-certificate | Certificate used by |prod| RESTAPI endpoints and GUI (Horizon) to identify themselves | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | | over HTTPS. It is typically signed by **system-local-ca**. Services such as external RESTAPI clients or | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI |
| OIDC Client and Dex Server CA certificate | No | NOT AUTO-RENEWED. MUST be renewed via CLI. | | | external browsers that access |prod| RESTAPI endpoints and/or |prod| GUI (Horizon) verify | | |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | | this serving certificate with **system-local-ca**. | | |
| OIDC Remote WAD CA Certificate | No | NOT AUTO-RENEWED. MUST be renewed via CLI. | | | | | |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| **Vault:** | | docker_registry/system-registry-local-certificate | Certificate used by Docker distribution server (registry.local ) to identify itself over HTTPS. | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | | | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI |
| Vault Server Certificate | Yes | NOT AUTO-RENEWED; MUST be renewed via CLI. | | | It is typically signed by **system-local-ca**. Services such as internal and/or external clients of registry | | |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | | that access registry.local verify this serving certificate with **system-local-ca**. | | |
| Vault Root CA certificate | Yes | NOT AUTO-RENEWED; MUST be renewed via CLI. | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | **OIDC:** |
| **Portieris:** | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | OIDC Client and Dex Server Certificate/oidc-auth-apps-certificate | Certificate used by both the |OIDC| client server and the DEX |OIDC| server to identify themselves over HTTPS. | No | auto-renewed if configured with cert-manager; |
| Portieris Server Certificate | Yes | Auto renewed by cert-manager; BUT CUSTOMER MUST restart Portieris after the certificate is renewed | | | | | NOT AUTO-RENEWED if configured with an externally generated certificate. MUST be renewed via CLI. |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | | It is typically signed by **system-local-ca**. Services such as external clients that access |OIDC| client server/DEX |OIDC| server | | |
| Portieris remote registry and notary server CA Certificate| No | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs | | | verify this serving certificate with **system-local-ca**. | | |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| **DC Admin Endpoints:** | | OIDC Client and Dex Server CA certificate | The |CA| certificate that signs the |OIDC| client server certificate and the DEX |OIDC| server certificate. In the recommended | No | NOT AUTO-RENEWED. MUST be renewed via CLI. |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | | configurations, the |CA| certificate is **system-local-ca**. | | |
| Root CA DC Admin Endpoint CA Certificate | Yes | auto-renewed | +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | OIDC Remote WAD CA Certificate | The |CA| certificate that signs the remote Windows Active Directory configured in the ``oidc-auth-apps`` application. The DEX server | No | NOT AUTO-RENEWED. MUST be renewed via CLI. |
| Intermediate CA DC Admin Endpoint CA Certificate | Yes | auto-renewed | | | uses this |CA| certificate to validate the remote Windows Active Directory's server certificate. | | |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| DC Admin Endpoint Server Certificate | Yes | auto-renewed | | **Vault:** |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| **System trusted CA Certificates** | No | NOT AUTO-RENEWED as these are certificates that are not necessarily owned by the platform | | Vault Server Certificate | Certificate used by Vault server to identify itself over HTTPS. It is typically signed by **system-local-ca**. Vault RESTAPIs or applications | Yes | NOT AUTO-RENEWED; MUST be renewed via CLI. |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ | | using Vault verify this serving certificate with **system-local-ca**. | | |
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| Vault Root CA certificate | The |CA| certificate that signs the Vault Server certificate. In the recommended configurations, the |CA| certificate is **system-local-ca**. | Yes | NOT AUTO-RENEWED; MUST be renewed via CLI. |
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| **Portieris:** |
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| Portieris Server Certificate | Certificate used by Portieris Admission-Control server to identify itself over HTTPS. It is typically signed by **system-local-ca**. | Yes | Auto renewed by cert-manager; BUT CUSTOMER MUST restart Portieris after the certificate is renewed |
| | The Portieris kubernetes admission webhook, which makes request to Portieris Admission-Control server | | |
| | verifies this serving certificate with **system-local-ca**. | | |
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| Portieris remote registry and notary server CA Certificate | The |CA| certificate that signs the Portieris Admission Control server certificate. | No | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs |
| | In the recommended configurations, the |CA| certificate is **system-local-ca**. | | |
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| **DC Admin Endpoints:** |
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| DC-AdminEp-RootCA | The |CA| certificate that signs the dc-adminep-certificate. On SystemController, it is called dc-adminep-root-ca-certificate. | Yes | auto-renewed |
| | On subcloud, it is called sc-adminep-root-ca-certificate. | | |
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| DC-AdminEp-InterCA | Signed by adminep-rootCA. On SystemController, it is called dc-adminep-inter-ca-certificate. On subcloud, it is called sc-adminep-inter-ca-certificate. | Yes | auto-renewed |
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| DC-AdminEp-Server | On SystemController, it is called dc-adminep-certificate. On subcloud, it is called sc-adminep-certificate signed by interCA. | Yes | auto-renewed |
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| **System trusted CA Certificates/ssl_ca** | The |CA| certificate that issues the SSL certificates | No | NOT AUTO-RENEWED as these are certificates that are not necessarily owned by the platform |
+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
Where: Where: